On Fri, Jan 12, 2018 at 07:54:58PM +0100, Moritz Muehlenhoff wrote:
> On Thu, Jan 11, 2018 at 02:03:23PM +0200, Faidon Liambotis wrote:
> > On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote:
> > > please see http://seclists.org/oss-sec/2016/q2/413 for details.
> > That link says:
> > Versions Affected:
> > Apache Tika 0.10 to 1.12
> > So perhaps 1.5 isn't affected after all? I tried to find the relevant
> > commit in the upstream git but failed :(
> in 1.17 added a test case, so this might be related to changes in Xerces/J
> which are possibly bundled by Tika downloads? Might be worth clarifying with
> Tim Allison <talli...@apache.org>.
Above, you said "so perhaps 1.5 isn't affected after all?". But why
this conclusion? 1.5 as currently in unstable and oldstable present
falls within the affected range of 0.15 and 1.12.
The issue is claimed to be fixed in upstream 1.13 (and as Moritz
pointed out a test was added. Comparing commits between 1.12 and 1.13
I was unable to isolate the relevant commit(s), but there are some
touching the code for "OOXML files and XMP in PDF and other file
So yes, maybe Tim Allison can help identify which are the required
commits, but best course might just to try to update to the newest
upstream version for unstable.
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.