[
https://issues.apache.org/jira/browse/TIKA-3926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17631944#comment-17631944
]
Tim Allison edited comment on TIKA-3926 at 11/10/22 10:10 PM:
--------------------------------------------------------------
{noformat}
Preparing to unpack .../01-openssl_3.0.2-0ubuntu1.7_amd64.deb ...
Unpacking openssl (3.0.2-0ubuntu1.7) ...
{noformat}
2.6.0.1 released just now
was (Author: [email protected]):
2.6.0.1 released just now
> Build a new version of the Tika docker image to fix CVEs
> --------------------------------------------------------
>
> Key: TIKA-3926
> URL: https://issues.apache.org/jira/browse/TIKA-3926
> Project: Tika
> Issue Type: Bug
> Affects Versions: 2.6.0
> Reporter: Felix Sperling
> Priority: Major
>
> Build a new docker image which has openssl upgraded in order to fix security
> vuln.
>
> Details:
> A buffer overrun can be triggered in X.509 certificate verification,
> specifically in name constraint checking. Note that this occurs after
> certificate chain signature verification and requires either a CA to have
> signed the malicious certificate or for the application to continue
> certificate verification despite failure to construct a path to a trusted
> issuer. An attacker can craft a malicious email address to overflow an
> arbitrary number of bytes containing the {{.}} character (decimal 46) on the
> stack. This buffer overflow could result in a crash (causing a denial of
> service).
> h3. Changelog
> November 1, 2022 - Advisory published.
> h2. Remediation
> Upgrade {{Ubuntu:22.04}} {{openssl}} to version 3.0.2-0ubuntu1.7 or higher.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
