[
https://issues.apache.org/jira/browse/TIKA-3506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17412533#comment-17412533
]
Tim Allison commented on TIKA-3506:
-----------------------------------
There was some movement on that issue, as you probably saw. Rolf didn’t think
it was actually an issue and thinks it’ll still be several weeks.
Yes, we’ll update other vulnerable dependencies and prob all that don’t cause
surprises in our regression tests.
Thank you for the ping!
> please fix multipile CVE in commons-compress for tika-parsers 1.x too
> ---------------------------------------------------------------------
>
> Key: TIKA-3506
> URL: https://issues.apache.org/jira/browse/TIKA-3506
> Project: Tika
> Issue Type: Bug
> Components: parser
> Affects Versions: 1.27
> Reporter: Stefan Seide
> Priority: Major
> Labels: security
>
> tika-parsers uses org.apache.commons:commons-compress as a dependency.
> All versions up to 1.20 have multiple medium vulnerabilities incorrectly
> handling input data. These are fixed with current version 1.21.
> With tika-parsers 2.0 the new version is already used, therefore not a
> problem anymore.
> But older 1.x line uses the vulnerable [email protected]. Is it possible
> to create a new security release for the 1.x line with this update?
> An update to the newer 2.x version needs a lot more time due to the breaking
> changes mentioned at the release page (at least it reads so). A new 1.x
> release would held to faster fix this security problem for all.
> * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090]
> * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517]
> * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35516]
> * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35515]
> Thanks,
> Stefan Seide
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
