Felix Sperling created TIKA-3926:
------------------------------------
Summary: Build a new version of the Tika docker image to fix CVEs
Key: TIKA-3926
URL: https://issues.apache.org/jira/browse/TIKA-3926
Project: Tika
Issue Type: Bug
Affects Versions: 2.6.0
Reporter: Felix Sperling
Build a new docker image which has openssl upgraded in order to fix security
vuln.
Details:
A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs after
certificate chain signature verification and requires either a CA to have
signed the malicious certificate or for the application to continue certificate
verification despite failure to construct a path to a trusted issuer. An
attacker can craft a malicious email address to overflow an arbitrary number of
bytes containing the {{.}} character (decimal 46) on the stack. This buffer
overflow could result in a crash (causing a denial of service).
h3. Changelog
November 1, 2022 - Advisory published.
h2. Remediation
Upgrade {{Ubuntu:22.04}} {{openssl}} to version 3.0.2-0ubuntu1.7 or higher.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
