I agree because of that exact reason (access to config file needed). I
remember a cartoon about it but can no longer find it.
Tilman
Am 07.01.2022 um 19:15 schrieb Tim Allison:
I'm frankly, personally, not motivated to roll a new release for
log4j2 2.17.1 because the vulnerability, IMO, is not a real
vulnerability...if someone has access to your logging config file,
you've got far larger issues.
However, it does look like there are some new problems with iworks
detection and maybe processing. Once we fix those and/or figure out
what's fixable, then I think we should roll a Tika 2.2.2 with log4j
2.17.1 and those updates.
I'd be grateful for any help getting POI 5.x to work in our osgi
bundle so that we can upgrade to that asap.
Fellow devs, what do you think?
Best,
Tim
On Fri, Jan 7, 2022 at 11:17 AM Josh Burchard <[email protected]> wrote:
I see that now https://logging.apache.org/log4j/2.x/security.html states that
vulnerabilities exist in all versions up to Log4j 2.17.0, so the recommendation
is to use 2.17.1. Is there a plan to spin another Tika release that uses
2.17.1?
From: "Tim Allison" <[email protected]>
To: [email protected], "<[email protected]>" <[email protected]>,
[email protected]
Date: 12/23/2021 03:27 PM
Subject: [ANNOUNCE] Apache Tika 2.2.1 released
________________________________
The Apache Tika project is pleased to announce the release of Apache
Tika 2.2.1. The release contents have been pushed out to the main
Apache release site and to the Maven Central sync.
Apache Tika is a toolkit for detecting and extracting metadata and
structured text content from various documents using existing parser
libraries.
Apache Tika 2.2.1 contains an upgrade to log4j2 2.17.0, a
critical fix to an OOXML parser regression that was introduced
in 2.2.0, and upgrades to other dependencies. Details can be found
in the changes file:
https://www.apache.org/dist/tika/2.2.1/CHANGES-2.2.1.txt
Apache Tika is available on the download page:
https://tika.apache.org/download.html
Apache Tika is also available in binary form or for use using Maven 2
from the Central Repository:
https://repo1.maven.org/maven2/org/apache/tika/
When downloading, please remember to verify the downloads using
signatures found: https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
