[CVE-2020-1951] Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser

2020-03-18 Thread Tim Allison 
TItle: [CVE-2020-1951] Infinite Loop (DoS) vulnerability in Apache Tika's
PSDParser

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: Apache Tika  1.0 to 1.23

Description:
A carefully crafted or corrupt PSD file can cause an infinite loop in Apache
Tika's PSDParser in versions 1.0-1.23.


Mitigation:
Apache Tika users should upgrade to 1.24 or later.

Credit:
This issue was discovered by Tim Allison on the Apache Tika team.

[CVE-2020-1950] Excessive memory usage (DoS) vulnerability in Apache Tika's PSDParser

2020-03-18 Thread Tim Allison 
Title: [CVE-2020-1950] Excessive memory usage (DoS) vulnerability in Apache
Tika's PSDParser

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: Apache Tika  1.0 to 1.23

Description:
A carefully crafted or corrupt PSD file can cause excessive memory usage in
Apache
Tika's PSDParser in versions 1.0-1.23.


Mitigation:
Apache Tika users should upgrade to 1.24 or later.


Credit:
This issue was discovered by Pierre Ernst at Elastic.

Re: [EXTERNAL] Re: JDK 12 build issues

2020-03-18 Thread Tim Allison 
Oh, and welcome back, Chris!!!

On Wed, Mar 18, 2020 at 11:21 AM Tim Allison  wrote:

> FWIW, I got a clean build on 11 and 13 just now.  We've been getting the
> malformed stream error in Jenkins quite a bit in the dl4j model.  I suspect
> this is just a problem w downloading the file, but I'm not sure...
>
> On Wed, Mar 18, 2020 at 10:57 AM Chris Mattmann 
> wrote:
>
>> Thanks Oleg I was using OpenJDK 12 and 13, but I fixed it!
>>
>>
>>
>> I needed to delete the $HOME/.tika-dl folder. All good now!
>>
>>
>>
>> NING] Invalid POM for commons-net:commons-net:jar:3.1, transitive
>> dependencies (if any) will not be available, enable debug logging for more
>> details
>>
>> [WARNING] Invalid POM for net.ericaro:neoitertools:jar:1.0.0, transitive
>> dependencies (if any) will not be available, enable debug logging for more
>> details
>>
>> [INFO]
>>
>> [INFO] --- maven-remote-resources-plugin:1.5:process (default) @ tika-dl
>> ---
>>
>> [WARNING] Invalid project model for artifact
>> [commons-net:commons-net:3.1]. It will be ignored by the remote resources
>> Mojo.
>>
>> [WARNING] Invalid project model for artifact
>> [neoitertools:net.ericaro:1.0.0]. It will be ignored by the remote
>> resources Mojo.
>>
>> [INFO]
>>
>> [INFO] --- maven-resources-plugin:2.7:resources (default-resources) @
>> tika-dl ---
>>
>> [INFO] Using 'UTF-8' encoding to copy filtered resources.
>>
>> [INFO] skip non existing resourceDirectory
>> /Users/mattmann/src/tika/tika-dl/src/main/resources
>>
>> [INFO] Copying 3 resources
>>
>> [INFO]
>>
>> [INFO] --- maven-compiler-plugin:3.8.0:compile (default-compile) @
>> tika-dl ---
>>
>> [INFO] Changes detected - recompiling the module!
>>
>> [INFO] Compiling 2 source files to
>> /Users/mattmann/src/tika/tika-dl/target/classes
>>
>> [INFO]
>>
>> [INFO] --- maven-resources-plugin:2.7:testResources
>> (default-testResources) @ tika-dl ---
>>
>> [INFO] Using 'UTF-8' encoding to copy filtered resources.
>>
>> [INFO] Copying 4 resources
>>
>> [INFO] Copying 3 resources
>>
>> [INFO]
>>
>> [INFO] --- maven-compiler-plugin:3.8.0:testCompile (default-testCompile)
>> @ tika-dl ---
>>
>> [INFO] Changes detected - recompiling the module!
>>
>> [INFO] Compiling 2 source files to
>> /Users/mattmann/src/tika/tika-dl/target/test-classes
>>
>> [INFO]
>>
>> [INFO] --- maven-surefire-plugin:3.0.0-M4:test (default-test) @ tika-dl
>> ---
>>
>> [INFO]
>>
>> [INFO] ---
>>
>> [INFO]  T E S T S
>>
>> [INFO] ---
>>
>> [INFO] Running org.apache.tika.dl.imagerec.DL4JVGG16NetTest
>>
>> log4j:WARN No appenders could be found for logger
>> (org.nd4j.linalg.factory.Nd4jBackend).
>>
>> log4j:WARN Please initialize the log4j system properly.
>>
>> log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for
>> more info.
>>
>> [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
>> 272.202 s - in org.apache.tika.dl.imagerec.DL4JVGG16NetTest
>>
>> [INFO] Running org.apache.tika.dl.imagerec.DL4JInceptionV3NetTest
>>
>> [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
>> 44.616 s - in org.apache.tika.dl.imagerec.DL4JInceptionV3NetTest
>>
>> [INFO]
>>
>> [INFO] Results:
>>
>> [INFO]
>>
>> [INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0
>>
>> [INFO]
>>
>> [INFO]
>> 
>>
>> [INFO] BUILD SUCCESS
>>
>> [INFO]
>> 
>>
>> [INFO] Total time:  05:27 min
>>
>> [INFO] Finished at: 2020-03-18T07:51:56-07:00
>>
>> [INFO]
>> 
>>
>> pomodoro:tika-dl mattmann$
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> From: Oleg Tikhonov 
>> Reply-To: "dev@tika.apache.org" 
>> Date: Wednesday, March 18, 2020 at 7:53 AM
>> To: "dev@tika.apache.org" 
>> Subject: Re: [EXTERNAL] Re: JDK 12 build issues
>>
>>
>>
>> Hi Chris,
>>
>> I'm currently trying to build an env with java 12/13 ... in order to try
>>
>> your setup.
>>
>> What java version are you using? open jdk or oracle?
>>
>> One upon a time was a bug in openjdk
>>
>> https://bugs.openjdk.java.net/browse/JDK-8131146
>>
>> But it seems to be ok in recent releases.
>>
>>
>>
>> Keep you updated.
>>
>> Cheers,
>>
>> Oleg
>>
>>
>>
>>
>>
>> On Wed, Mar 18, 2020 at 4:35 PM Chris Mattmann 
>> wrote:
>>
>>
>>
>> So I was able to get past my issues with Tesseract by reinstalling the
>>
>> latest version with Brew.
>>
>>
>>
>>
>>
>>
>>
>> I have a new issue!
>>
>>
>>
>> I’ve tried in JDK12 and JDK13 to build tika-dl, but it keeps failing:
>>
>>
>>
>>
>>
>>
>>
>> [INFO]
>>
>>
>>
>> [INFO] --- maven-compiler-plugin:3.8.0:testCompile (default-testCompile) @
>>
>> tika-dl ---
>>
>>
>>
>> [INFO] Changes detected - recompiling the module!
>>
>>
>>
>> [INFO] Compiling 2 source files to
>>
>> /Users/mattmann/src/tika/tika-dl/target/test-classes
>>
>>
>>
>> [INFO]
>>

Re: [EXTERNAL] Re: JDK 12 build issues

2020-03-18 Thread Tim Allison 
FWIW, I got a clean build on 11 and 13 just now.  We've been getting the
malformed stream error in Jenkins quite a bit in the dl4j model.  I suspect
this is just a problem w downloading the file, but I'm not sure...

On Wed, Mar 18, 2020 at 10:57 AM Chris Mattmann  wrote:

> Thanks Oleg I was using OpenJDK 12 and 13, but I fixed it!
>
>
>
> I needed to delete the $HOME/.tika-dl folder. All good now!
>
>
>
> NING] Invalid POM for commons-net:commons-net:jar:3.1, transitive
> dependencies (if any) will not be available, enable debug logging for more
> details
>
> [WARNING] Invalid POM for net.ericaro:neoitertools:jar:1.0.0, transitive
> dependencies (if any) will not be available, enable debug logging for more
> details
>
> [INFO]
>
> [INFO] --- maven-remote-resources-plugin:1.5:process (default) @ tika-dl
> ---
>
> [WARNING] Invalid project model for artifact
> [commons-net:commons-net:3.1]. It will be ignored by the remote resources
> Mojo.
>
> [WARNING] Invalid project model for artifact
> [neoitertools:net.ericaro:1.0.0]. It will be ignored by the remote
> resources Mojo.
>
> [INFO]
>
> [INFO] --- maven-resources-plugin:2.7:resources (default-resources) @
> tika-dl ---
>
> [INFO] Using 'UTF-8' encoding to copy filtered resources.
>
> [INFO] skip non existing resourceDirectory
> /Users/mattmann/src/tika/tika-dl/src/main/resources
>
> [INFO] Copying 3 resources
>
> [INFO]
>
> [INFO] --- maven-compiler-plugin:3.8.0:compile (default-compile) @ tika-dl
> ---
>
> [INFO] Changes detected - recompiling the module!
>
> [INFO] Compiling 2 source files to
> /Users/mattmann/src/tika/tika-dl/target/classes
>
> [INFO]
>
> [INFO] --- maven-resources-plugin:2.7:testResources
> (default-testResources) @ tika-dl ---
>
> [INFO] Using 'UTF-8' encoding to copy filtered resources.
>
> [INFO] Copying 4 resources
>
> [INFO] Copying 3 resources
>
> [INFO]
>
> [INFO] --- maven-compiler-plugin:3.8.0:testCompile (default-testCompile) @
> tika-dl ---
>
> [INFO] Changes detected - recompiling the module!
>
> [INFO] Compiling 2 source files to
> /Users/mattmann/src/tika/tika-dl/target/test-classes
>
> [INFO]
>
> [INFO] --- maven-surefire-plugin:3.0.0-M4:test (default-test) @ tika-dl ---
>
> [INFO]
>
> [INFO] ---
>
> [INFO]  T E S T S
>
> [INFO] ---
>
> [INFO] Running org.apache.tika.dl.imagerec.DL4JVGG16NetTest
>
> log4j:WARN No appenders could be found for logger
> (org.nd4j.linalg.factory.Nd4jBackend).
>
> log4j:WARN Please initialize the log4j system properly.
>
> log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for
> more info.
>
> [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
> 272.202 s - in org.apache.tika.dl.imagerec.DL4JVGG16NetTest
>
> [INFO] Running org.apache.tika.dl.imagerec.DL4JInceptionV3NetTest
>
> [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
> 44.616 s - in org.apache.tika.dl.imagerec.DL4JInceptionV3NetTest
>
> [INFO]
>
> [INFO] Results:
>
> [INFO]
>
> [INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0
>
> [INFO]
>
> [INFO]
> 
>
> [INFO] BUILD SUCCESS
>
> [INFO]
> 
>
> [INFO] Total time:  05:27 min
>
> [INFO] Finished at: 2020-03-18T07:51:56-07:00
>
> [INFO]
> 
>
> pomodoro:tika-dl mattmann$
>
>
>
>
>
>
>
>
>
> From: Oleg Tikhonov 
> Reply-To: "dev@tika.apache.org" 
> Date: Wednesday, March 18, 2020 at 7:53 AM
> To: "dev@tika.apache.org" 
> Subject: Re: [EXTERNAL] Re: JDK 12 build issues
>
>
>
> Hi Chris,
>
> I'm currently trying to build an env with java 12/13 ... in order to try
>
> your setup.
>
> What java version are you using? open jdk or oracle?
>
> One upon a time was a bug in openjdk
>
> https://bugs.openjdk.java.net/browse/JDK-8131146
>
> But it seems to be ok in recent releases.
>
>
>
> Keep you updated.
>
> Cheers,
>
> Oleg
>
>
>
>
>
> On Wed, Mar 18, 2020 at 4:35 PM Chris Mattmann 
> wrote:
>
>
>
> So I was able to get past my issues with Tesseract by reinstalling the
>
> latest version with Brew.
>
>
>
>
>
>
>
> I have a new issue!
>
>
>
> I’ve tried in JDK12 and JDK13 to build tika-dl, but it keeps failing:
>
>
>
>
>
>
>
> [INFO]
>
>
>
> [INFO] --- maven-compiler-plugin:3.8.0:testCompile (default-testCompile) @
>
> tika-dl ---
>
>
>
> [INFO] Changes detected - recompiling the module!
>
>
>
> [INFO] Compiling 2 source files to
>
> /Users/mattmann/src/tika/tika-dl/target/test-classes
>
>
>
> [INFO]
>
>
>
> [INFO] --- maven-surefire-plugin:3.0.0-M4:test (default-test) @ tika-dl ---
>
>
>
> [INFO]
>
>
>
> [INFO] ---
>
>
>
> [INFO]  T E S T S
>
>
>
> [INFO] ---
>
>
>
> [INFO] Running

Re: [EXTERNAL] Re: JDK 12 build issues

2020-03-18 Thread Chris Mattmann 
Thanks Oleg I was using OpenJDK 12 and 13, but I fixed it!

 

I needed to delete the $HOME/.tika-dl folder. All good now!

 

NING] Invalid POM for commons-net:commons-net:jar:3.1, transitive dependencies 
(if any) will not be available, enable debug logging for more details

[WARNING] Invalid POM for net.ericaro:neoitertools:jar:1.0.0, transitive 
dependencies (if any) will not be available, enable debug logging for more 
details

[INFO] 

[INFO] --- maven-remote-resources-plugin:1.5:process (default) @ tika-dl ---

[WARNING] Invalid project model for artifact [commons-net:commons-net:3.1]. It 
will be ignored by the remote resources Mojo.

[WARNING] Invalid project model for artifact [neoitertools:net.ericaro:1.0.0]. 
It will be ignored by the remote resources Mojo.

[INFO] 

[INFO] --- maven-resources-plugin:2.7:resources (default-resources) @ tika-dl 
---

[INFO] Using 'UTF-8' encoding to copy filtered resources.

[INFO] skip non existing resourceDirectory 
/Users/mattmann/src/tika/tika-dl/src/main/resources

[INFO] Copying 3 resources

[INFO] 

[INFO] --- maven-compiler-plugin:3.8.0:compile (default-compile) @ tika-dl ---

[INFO] Changes detected - recompiling the module!

[INFO] Compiling 2 source files to 
/Users/mattmann/src/tika/tika-dl/target/classes

[INFO] 

[INFO] --- maven-resources-plugin:2.7:testResources (default-testResources) @ 
tika-dl ---

[INFO] Using 'UTF-8' encoding to copy filtered resources.

[INFO] Copying 4 resources

[INFO] Copying 3 resources

[INFO] 

[INFO] --- maven-compiler-plugin:3.8.0:testCompile (default-testCompile) @ 
tika-dl ---

[INFO] Changes detected - recompiling the module!

[INFO] Compiling 2 source files to 
/Users/mattmann/src/tika/tika-dl/target/test-classes

[INFO] 

[INFO] --- maven-surefire-plugin:3.0.0-M4:test (default-test) @ tika-dl ---

[INFO] 

[INFO] ---

[INFO]  T E S T S

[INFO] ---

[INFO] Running org.apache.tika.dl.imagerec.DL4JVGG16NetTest

log4j:WARN No appenders could be found for logger 
(org.nd4j.linalg.factory.Nd4jBackend).

log4j:WARN Please initialize the log4j system properly.

log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more 
info.

[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 272.202 
s - in org.apache.tika.dl.imagerec.DL4JVGG16NetTest

[INFO] Running org.apache.tika.dl.imagerec.DL4JInceptionV3NetTest

[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 44.616 s 
- in org.apache.tika.dl.imagerec.DL4JInceptionV3NetTest

[INFO] 

[INFO] Results:

[INFO] 

[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0

[INFO] 

[INFO] 

[INFO] BUILD SUCCESS

[INFO] 

[INFO] Total time:  05:27 min

[INFO] Finished at: 2020-03-18T07:51:56-07:00

[INFO] 

pomodoro:tika-dl mattmann$ 

 

 

 

 

From: Oleg Tikhonov 
Reply-To: "dev@tika.apache.org" 
Date: Wednesday, March 18, 2020 at 7:53 AM
To: "dev@tika.apache.org" 
Subject: Re: [EXTERNAL] Re: JDK 12 build issues

 

Hi Chris,

I'm currently trying to build an env with java 12/13 ... in order to try

your setup.

What java version are you using? open jdk or oracle?

One upon a time was a bug in openjdk

https://bugs.openjdk.java.net/browse/JDK-8131146

But it seems to be ok in recent releases.

 

Keep you updated.

Cheers,

Oleg

 

 

On Wed, Mar 18, 2020 at 4:35 PM Chris Mattmann  wrote:

 

So I was able to get past my issues with Tesseract by reinstalling the

latest version with Brew.

 

 

 

I have a new issue!

 

I’ve tried in JDK12 and JDK13 to build tika-dl, but it keeps failing:

 

 

 

[INFO]

 

[INFO] --- maven-compiler-plugin:3.8.0:testCompile (default-testCompile) @

tika-dl ---

 

[INFO] Changes detected - recompiling the module!

 

[INFO] Compiling 2 source files to

/Users/mattmann/src/tika/tika-dl/target/test-classes

 

[INFO]

 

[INFO] --- maven-surefire-plugin:3.0.0-M4:test (default-test) @ tika-dl ---

 

[INFO]

 

[INFO] ---

 

[INFO]  T E S T S

 

[INFO] ---

 

[INFO] Running org.apache.tika.dl.imagerec.DL4JVGG16NetTest

 

log4j:WARN No appenders could be found for logger

(org.nd4j.linalg.factory.Nd4jBackend).

 

log4j:WARN Please initialize the log4j system properly.

 

log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for

more info.

 

[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed:

3.38 s <<< FAILURE! - in org.apache.tika.dl.imagerec.DL4JVGG16NetTest

 

[ERROR] org.apache.tika.dl.imagerec.DL4JVGG16NetTest.recognise  Time

elapsed: 3.29 s  <<< ERROR!

 

org.apache.tika.exception.TikaConfigException:

Re: [EXTERNAL] Re: JDK 12 build issues

2020-03-18 Thread Oleg Tikhonov 
Hi Chris,
I'm currently trying to build an env with java 12/13 ... in order to try
your setup.
What java version are you using? open jdk or oracle?
One upon a time was a bug in openjdk
https://bugs.openjdk.java.net/browse/JDK-8131146
But it seems to be ok in recent releases.

Keep you updated.
Cheers,
Oleg


On Wed, Mar 18, 2020 at 4:35 PM Chris Mattmann  wrote:

> So I was able to get past my issues with Tesseract by reinstalling the
> latest version with Brew.
>
>
>
> I have a new issue!
>
> I’ve tried in JDK12 and JDK13 to build tika-dl, but it keeps failing:
>
>
>
> [INFO]
>
> [INFO] --- maven-compiler-plugin:3.8.0:testCompile (default-testCompile) @
> tika-dl ---
>
> [INFO] Changes detected - recompiling the module!
>
> [INFO] Compiling 2 source files to
> /Users/mattmann/src/tika/tika-dl/target/test-classes
>
> [INFO]
>
> [INFO] --- maven-surefire-plugin:3.0.0-M4:test (default-test) @ tika-dl ---
>
> [INFO]
>
> [INFO] ---
>
> [INFO]  T E S T S
>
> [INFO] ---
>
> [INFO] Running org.apache.tika.dl.imagerec.DL4JVGG16NetTest
>
> log4j:WARN No appenders could be found for logger
> (org.nd4j.linalg.factory.Nd4jBackend).
>
> log4j:WARN Please initialize the log4j system properly.
>
> log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for
> more info.
>
> [ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed:
> 3.38 s <<< FAILURE! - in org.apache.tika.dl.imagerec.DL4JVGG16NetTest
>
> [ERROR] org.apache.tika.dl.imagerec.DL4JVGG16NetTest.recognise  Time
> elapsed: 3.29 s  <<< ERROR!
>
> org.apache.tika.exception.TikaConfigException: java.io.UTFDataFormatException:
> malformed input around byte 11
>
>at
> org.apache.tika.dl.imagerec.DL4JVGG16NetTest.recognise(DL4JVGG16NetTest.java:36)
>
> Caused by: java.lang.RuntimeException: java.io.UTFDataFormatException:
> malformed input around byte 11
>
>at
> org.apache.tika.dl.imagerec.DL4JVGG16NetTest.recognise(DL4JVGG16NetTest.java:36)
>
> Caused by: java.io.UTFDataFormatException: malformed input around byte 11
>
>at
> org.apache.tika.dl.imagerec.DL4JVGG16NetTest.recognise(DL4JVGG16NetTest.java:36)
>
>
>
> [INFO] Running org.apache.tika.dl.imagerec.DL4JInceptionV3NetTest
>
> [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
> 5.392 s - in org.apache.tika.dl.imagerec.DL4JInceptionV3NetTest
>
> [INFO]
>
> [INFO] Results:
>
> [INFO]
>
> [ERROR] Errors:
>
> [ERROR]   DL4JVGG16NetTest.recognise:36 » TikaConfig 
> java.io.UTFDataFormatException:
> mal...
>
> [INFO]
>
> [ERROR] Tests run: 2, Failures: 0, Errors: 1, Skipped: 0
>
> [INFO]
>
> [INFO]
> 
>
> [INFO] BUILD FAILURE
>
> [INFO]
> 
>
> [INFO] Total time:  25.628 s
>
> [INFO] Finished at: 2020-03-18T07:34:08-07:00
>
> [INFO]
> 
>
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M4:test (default-test)
> on project tika-dl: There are test failures.
>
> [ERROR]
>
> [ERROR] Please refer to
> /Users/mattmann/src/tika/tika-dl/target/surefire-reports for the individual
> test results.
>
> [ERROR] Please refer to dump files (if any exist) [date].dump,
> [date]-jvmRun[N].dump and [date].dumpstream.
>
> [ERROR] -> [Help 1]
>
> [ERROR]
>
> [ERROR] To see the full stack trace of the errors, re-run Maven with the
> -e switch.
>
> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
>
> [ERROR]
>
> [ERROR] For more information about the errors and possible solutions,
> please read the following articles:
>
> [ERROR] [Help 1]
> http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
>
> pomodoro:tika-dl mattmann$
>
>
>
> Thamme, do you have any ideas what is going on here?
>
>
> Cheers,
>
> Chris
>
>
>
>
>
>
>
>
>
> From: Tim Allison 
> Reply-To: "dev@tika.apache.org" , "Allison, Timothy
> B (US 1760-Affiliate)" 
> Date: Wednesday, March 18, 2020 at 2:35 AM
> To: "dev@tika.apache.org" 
> Subject: [EXTERNAL] Re: JDK 12 build issues
>
>
>
> Haven’t tried...we should add java 12-14 to Jenkins.
>
>
>
> Wait, are we up to 18 yet...
>
>
>
> Will look into it...
>
>
>
> On Tue, Mar 17, 2020 at 10:07 PM Chris Mattmann 
> wrote:
>
>
>
> Hey Tim et al.,
>
>
>
>
>
>
>
> Do the tests fail for you with Java 12?
>
>
>
>
>
>
>
> [INFO] Running org.apache.tika.parser.pkg.GzipParserTest
>
>
>
> [INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
>
> 0.397 s - in org.apache.tika.parser.pkg.GzipParserTest
>
>
>
> [INFO] Running org.apache.tika.TestXMLEntityExpansion
>
>
>
> [WARNING] Tests run: 3, Failures: 0, Errors: 0, Skipped: 1, Time elapsed:
>
> 0.085 s - in org.apache.tika.TestXMLEntityExpansion
>
>
>
> [INFO] Running org.apache.tika.mime.MimeTypeTest
>
>
>
>

Re: [EXTERNAL] Re: JDK 12 build issues

2020-03-18 Thread Chris Mattmann 
So I was able to get past my issues with Tesseract by reinstalling the latest 
version with Brew.

 

I have a new issue!

I’ve tried in JDK12 and JDK13 to build tika-dl, but it keeps failing:

 

[INFO] 

[INFO] --- maven-compiler-plugin:3.8.0:testCompile (default-testCompile) @ 
tika-dl ---

[INFO] Changes detected - recompiling the module!

[INFO] Compiling 2 source files to 
/Users/mattmann/src/tika/tika-dl/target/test-classes

[INFO] 

[INFO] --- maven-surefire-plugin:3.0.0-M4:test (default-test) @ tika-dl ---

[INFO] 

[INFO] ---

[INFO]  T E S T S

[INFO] ---

[INFO] Running org.apache.tika.dl.imagerec.DL4JVGG16NetTest

log4j:WARN No appenders could be found for logger 
(org.nd4j.linalg.factory.Nd4jBackend).

log4j:WARN Please initialize the log4j system properly.

log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more 
info.

[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 3.38 s 
<<< FAILURE! - in org.apache.tika.dl.imagerec.DL4JVGG16NetTest

[ERROR] org.apache.tika.dl.imagerec.DL4JVGG16NetTest.recognise  Time elapsed: 
3.29 s  <<< ERROR!

org.apache.tika.exception.TikaConfigException: java.io.UTFDataFormatException: 
malformed input around byte 11

   at 
org.apache.tika.dl.imagerec.DL4JVGG16NetTest.recognise(DL4JVGG16NetTest.java:36)

Caused by: java.lang.RuntimeException: java.io.UTFDataFormatException: 
malformed input around byte 11

   at 
org.apache.tika.dl.imagerec.DL4JVGG16NetTest.recognise(DL4JVGG16NetTest.java:36)

Caused by: java.io.UTFDataFormatException: malformed input around byte 11

   at 
org.apache.tika.dl.imagerec.DL4JVGG16NetTest.recognise(DL4JVGG16NetTest.java:36)

 

[INFO] Running org.apache.tika.dl.imagerec.DL4JInceptionV3NetTest

[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.392 s 
- in org.apache.tika.dl.imagerec.DL4JInceptionV3NetTest

[INFO] 

[INFO] Results:

[INFO] 

[ERROR] Errors: 

[ERROR]   DL4JVGG16NetTest.recognise:36 » TikaConfig 
java.io.UTFDataFormatException: mal...

[INFO] 

[ERROR] Tests run: 2, Failures: 0, Errors: 1, Skipped: 0

[INFO] 

[INFO] 

[INFO] BUILD FAILURE

[INFO] 

[INFO] Total time:  25.628 s

[INFO] Finished at: 2020-03-18T07:34:08-07:00

[INFO] 

[ERROR] Failed to execute goal 
org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M4:test (default-test) on 
project tika-dl: There are test failures.

[ERROR] 

[ERROR] Please refer to 
/Users/mattmann/src/tika/tika-dl/target/surefire-reports for the individual 
test results.

[ERROR] Please refer to dump files (if any exist) [date].dump, 
[date]-jvmRun[N].dump and [date].dumpstream.

[ERROR] -> [Help 1]

[ERROR] 

[ERROR] To see the full stack trace of the errors, re-run Maven with the -e 
switch.

[ERROR] Re-run Maven using the -X switch to enable full debug logging.

[ERROR] 

[ERROR] For more information about the errors and possible solutions, please 
read the following articles:

[ERROR] [Help 1] 
http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

pomodoro:tika-dl mattmann$ 

 

Thamme, do you have any ideas what is going on here?


Cheers,

Chris

 

 

 

 

From: Tim Allison 
Reply-To: "dev@tika.apache.org" , "Allison, Timothy B (US 
1760-Affiliate)" 
Date: Wednesday, March 18, 2020 at 2:35 AM
To: "dev@tika.apache.org" 
Subject: [EXTERNAL] Re: JDK 12 build issues

 

Haven’t tried...we should add java 12-14 to Jenkins.

 

Wait, are we up to 18 yet...

 

Will look into it...

 

On Tue, Mar 17, 2020 at 10:07 PM Chris Mattmann  wrote:

 

Hey Tim et al.,

 

 

 

Do the tests fail for you with Java 12?

 

 

 

[INFO] Running org.apache.tika.parser.pkg.GzipParserTest

 

[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:

0.397 s - in org.apache.tika.parser.pkg.GzipParserTest

 

[INFO] Running org.apache.tika.TestXMLEntityExpansion

 

[WARNING] Tests run: 3, Failures: 0, Errors: 0, Skipped: 1, Time elapsed:

0.085 s - in org.apache.tika.TestXMLEntityExpansion

 

[INFO] Running org.apache.tika.mime.MimeTypeTest

 

[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:

0.001 s - in org.apache.tika.mime.MimeTypeTest

 

[INFO] Running org.apache.tika.mime.MimeTypesTest

 

[INFO] Tests run: 5, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:

0.001 s - in org.apache.tika.mime.MimeTypesTest

 

[INFO] Running org.apache.tika.mime.TestMimeTypes

 

[INFO] Tests run: 80, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:

8.997 s - in org.apache.tika.mime.TestMimeTypes

 

[INFO] Running org.apache.tika.TestCorruptedFiles

 

[WARNING] Tests run: 1, Failures: 0, Errors: 0, Skipped: 1, Time elapsed:

0.001 s - in

[jira] [Comment Edited] (TIKA-3073) Add compression option to /rmeta output

2020-03-18 Thread Konstantin Gribov (Jira) 


[ 
https://issues.apache.org/jira/browse/TIKA-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17061672#comment-17061672
 ] 

Konstantin Gribov edited comment on TIKA-3073 at 3/18/20, 12:32 PM:


[~tallison], usually webserver should accept HTTP {{Accept-Encoding: gzip, 
deflate}} header (you could set it with curl's {{\-\-compressed}}), but I don't 
know how this should be configured in CXF. But it seems tika-server ignores it 
and just use {{chunked}}. So, IMHO, it's out of scope for JAX-RS but more to do 
with CXF/Jetty. Jetty itself has 
[https://www.eclipse.org/jetty/documentation/current/gzip-filter.html] which 
can be enabled for whole server using by adding it with 
{{org.eclipse.jetty.server.Server#insertHandler}}.

Some servers would return {{Content-Encoding}} instead of {{Transfer-Encoding}} 
and curl supports both. To test just call {{curl \-\-compressed \-\-http1.1 -v 
https://code.jquery.com/jquery-3.3.1.slim.min.js}} with and without 
{{\-\-compressed}} flag.


was (Author: grossws):
[~tallison], usually webserver should accept HTTP {{Accept-Encoding: gzip, 
deflate}} header (you could set it with curl's --compressed), but I don't know 
how this should be configured in CXF. But it seems tika-server ignores it and 
just use {{chunked}}. So, IMHO, it's out of scope for JAX-RS but more to do 
with CXF/Jetty. Jetty itself has 
[https://www.eclipse.org/jetty/documentation/current/gzip-filter.html] which 
can be enabled for whole server using by adding it with 
{{org.eclipse.jetty.server.Server#insertHandler}}.

Some servers would return {{Content-Encoding}} instead of {{Transfer-Encoding}} 
and curl supports both. To test just call {{curl --compressed --http1.1 -v 
[https://code.jquery.com/jquery-3.3.1.slim.min.js]-}} with and without 
{{-compressed}} flag.

> Add compression option to /rmeta output
> ---
>
> Key: TIKA-3073
> URL: https://issues.apache.org/jira/browse/TIKA-3073
> Project: Tika
>  Issue Type: Task
>Reporter: Tim Allison
>Priority: Major
>
> On TIKA-3069, [~carina.antunes] requested compressing /rmeta output. This 
> makes sense as a start...we might also look into allowing more 
> configurability around which metadata fields and file types to send back over 
> the wire.  Few people need everything...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (TIKA-3073) Add compression option to /rmeta output

2020-03-18 Thread Konstantin Gribov (Jira) 


[ 
https://issues.apache.org/jira/browse/TIKA-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17061672#comment-17061672
 ] 

Konstantin Gribov edited comment on TIKA-3073 at 3/18/20, 12:31 PM:


[~tallison], usually webserver should accept HTTP {{Accept-Encoding: gzip, 
deflate}} header (you could set it with curl's --compressed), but I don't know 
how this should be configured in CXF. But it seems tika-server ignores it and 
just use {{chunked}}. So, IMHO, it's out of scope for JAX-RS but more to do 
with CXF/Jetty. Jetty itself has 
[https://www.eclipse.org/jetty/documentation/current/gzip-filter.html] which 
can be enabled for whole server using by adding it with 
{{org.eclipse.jetty.server.Server#insertHandler}}.

Some servers would return {{Content-Encoding}} instead of {{Transfer-Encoding}} 
and curl supports both. To test just call {{curl --compressed --http1.1 -v 
[https://code.jquery.com/jquery-3.3.1.slim.min.js]-}} with and without 
{{-compressed}} flag.


was (Author: grossws):
[~tallison], usually webserver should accept HTTP {{Accept-Encoding: gzip, 
deflate}} header (you could set it with curl's --compressed), but I don't know 
how this should be configured in CXF. But it seems tika-server ignores it and 
just use {{chinked}}. So, IMHO, it's out of scope for JAX-RS but more to do 
with CXF/Jetty. Jetty itself has 
https://www.eclipse.org/jetty/documentation/current/gzip-filter.html which can 
be enabled for whole server using by adding it with 
{{org.eclipse.jetty.server.Server#insertHandler}}.

Some servers would return {{Content-Encoding}} instead of {{Transfer-Encoding}} 
and curl supports both. To test just call {{curl --compressed --http1.1 -v 
https://code.jquery.com/jquery-3.3.1.slim.min.js}} with and without 
{{--compressed}} flag.

> Add compression option to /rmeta output
> ---
>
> Key: TIKA-3073
> URL: https://issues.apache.org/jira/browse/TIKA-3073
> Project: Tika
>  Issue Type: Task
>Reporter: Tim Allison
>Priority: Major
>
> On TIKA-3069, [~carina.antunes] requested compressing /rmeta output. This 
> makes sense as a start...we might also look into allowing more 
> configurability around which metadata fields and file types to send back over 
> the wire.  Few people need everything...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (TIKA-3073) Add compression option to /rmeta output

2020-03-18 Thread Konstantin Gribov (Jira) 


[ 
https://issues.apache.org/jira/browse/TIKA-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17061672#comment-17061672
 ] 

Konstantin Gribov commented on TIKA-3073:
-

[~tallison], usually webserver should accept HTTP {{Accept-Encoding: gzip, 
deflate}} header (you could set it with curl's --compressed), but I don't know 
how this should be configured in CXF. But it seems tika-server ignores it and 
just use {{chinked}}. So, IMHO, it's out of scope for JAX-RS but more to do 
with CXF/Jetty. Jetty itself has 
https://www.eclipse.org/jetty/documentation/current/gzip-filter.html which can 
be enabled for whole server using by adding it with 
{{org.eclipse.jetty.server.Server#insertHandler}}.

Some servers would return {{Content-Encoding}} instead of {{Transfer-Encoding}} 
and curl supports both. To test just call {{curl --compressed --http1.1 -v 
https://code.jquery.com/jquery-3.3.1.slim.min.js}} with and without 
{{--compressed}} flag.

> Add compression option to /rmeta output
> ---
>
> Key: TIKA-3073
> URL: https://issues.apache.org/jira/browse/TIKA-3073
> Project: Tika
>  Issue Type: Task
>Reporter: Tim Allison
>Priority: Major
>
> On TIKA-3069, [~carina.antunes] requested compressing /rmeta output. This 
> makes sense as a start...we might also look into allowing more 
> configurability around which metadata fields and file types to send back over 
> the wire.  Few people need everything...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: JDK 12 build issues

2020-03-18 Thread Tim Allison 
Haven’t tried...we should add java 12-14 to Jenkins.

Wait, are we up to 18 yet...

Will look into it...

On Tue, Mar 17, 2020 at 10:07 PM Chris Mattmann  wrote:

> Hey Tim et al.,
>
>
>
> Do the tests fail for you with Java 12?
>
>
>
> [INFO] Running org.apache.tika.parser.pkg.GzipParserTest
>
> [INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
> 0.397 s - in org.apache.tika.parser.pkg.GzipParserTest
>
> [INFO] Running org.apache.tika.TestXMLEntityExpansion
>
> [WARNING] Tests run: 3, Failures: 0, Errors: 0, Skipped: 1, Time elapsed:
> 0.085 s - in org.apache.tika.TestXMLEntityExpansion
>
> [INFO] Running org.apache.tika.mime.MimeTypeTest
>
> [INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
> 0.001 s - in org.apache.tika.mime.MimeTypeTest
>
> [INFO] Running org.apache.tika.mime.MimeTypesTest
>
> [INFO] Tests run: 5, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
> 0.001 s - in org.apache.tika.mime.MimeTypesTest
>
> [INFO] Running org.apache.tika.mime.TestMimeTypes
>
> [INFO] Tests run: 80, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
> 8.997 s - in org.apache.tika.mime.TestMimeTypes
>
> [INFO] Running org.apache.tika.TestCorruptedFiles
>
> [WARNING] Tests run: 1, Failures: 0, Errors: 0, Skipped: 1, Time elapsed:
> 0.001 s - in org.apache.tika.TestCorruptedFiles
>
> [INFO]
>
> [INFO] Results:
>
> [INFO]
>
> [ERROR] Failures:
>
> [ERROR]
>  
> TesseractOCRParserTest.confirmMultiPageTiffHandling:290->TikaTest.assertContains:110
> Page 2 not found in:
>
> http://www.w3.org/1999/xhtml;>
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
>  content="org.apache.tika.parser.ocr.TesseractOCRParser" />
>
>  />
>
> 
>
>  />
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
>  />
>
> 
>
> 
>
> 
>
> 
>
> Multipage
>
> TIFF
>
> Example
>
> Page 1
>
> 
>
> 
>
> [ERROR]
>  TesseractOCRParserTest.testOCROutputsHOCR:146->TikaTest.assertContains:110
> Happy not found in:
>
> http://www.w3.org/1999/xhtml;>
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> Presentation1
>
> 
>
> 
>
> 
>
> http://www.w3.org/1999/xhtml;>
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
>  content="org.apache.tika.parser.ocr.TesseractOCRParser" />
>
>  content="org.apache.tika.parser.image.ImageParser" />
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>   
>
>
>
> 
>
>  
>
>   Happy
>
>   New
>
>   Year
>
>   2003!
>
>  
>
> 
>
>
>
>
>
>
>
>   
>
>
>
>
>
> 
>
> 
>
> [INFO]
>
> [ERROR] Tests run: 1188, Failures: 2, Errors: 0, Skipped: 48
>
> [INFO]
>
> [INFO]
> 
>
> [INFO] Reactor Summary for Apache Tika 2.0.0-SNAPSHOT:
>
> [INFO]
>
> [INFO] Apache Tika parent . SUCCESS [
> 8.822 s]
>
> [INFO] Apache Tika core ... SUCCESS [
> 39.589 s]
>
> [INFO] Apache Tika parsers  FAILURE [09:04
> min]
>
> [INFO] Apache Tika OSGi bundle  SKIPPED
>
> [INFO] Apache Tika XMP  SKIPPED
>
> [INFO] Apache Tika serialization .. SKIPPED
>
> [INFO] Apache Tika batch .. SKIPPED
>
> [INFO] Apache Tika language detection . SKIPPED
>
> [INFO] Apache Tika application  SKIPPED
>
> [INFO] Apache Tika translate .. SKIPPED
>
> [INFO] Apache Tika server . SKIPPED
>
> [INFO] Apache Tika eval ... SKIPPED
>
> [INFO] Apache Tika examples ... SKIPPED
>
> [INFO] Apache Tika Java-7 Components .. SKIPPED
>
> [INFO] Apache Tika Deep Learning (powered by DL4J)  SKIPPED
>
> [INFO] Apache Tika Natural Language Processing  SKIPPED
>
> [INFO] Apache Tika  SKIPPED
>
> [INFO]
> 
>
> [INFO] BUILD FAILURE
>
> [INFO]
> 
>
> [INFO] Total time:  09:57 min
>
> [INFO] Finished at: 2020-03-17T18:31:10-07:00
>
> [INFO]
> 
>
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M4:test (default-test)
> on project tika-parsers: There are test failures.
>
> [ERROR]
>
> [ERROR] Please refer to
> /Users/mattmann/src/tika/tika-parsers/target/surefire-reports for the
>

Release Announcement: General Availability of Java 14 / JDK 14

2020-03-18 Thread Rory O'Donnell 

 Hi Tim,


**Release Announcement: General Availability of Java 14 / JDK 14 [1] * *

 * JDK 14, the reference implementation of Java 14, is now Generally
   Available.
 * GPL-licensed OpenJDK builds from Oracle are available here:
   https://jdk.java.net/14
 * JDK 14 Release notes
   




JDK 14  includes sixteen features [2]:

  305: Pattern Matching for instanceof (Preview)
  343: Packaging Tool (Incubator)
  345: NUMA-Aware Memory Allocation for G1
  349: JFR Event Streaming
  352: Non-Volatile Mapped Byte Buffers
  358: Helpful NullPointerExceptions
  359: Records (Preview)
  361: Switch Expressions (Standard)
  362: Deprecate the Solaris and SPARC Ports
  363: Remove the Concurrent Mark Sweep (CMS) Garbage Collector
  364: ZGC on macOS
  365: ZGC on Windows
  366: Deprecate the ParallelScavenge + SerialOld GC Combination
  367: Remove the Pack200 Tools and API
  368: Text Blocks (Second Preview)
  370: Foreign-Memory Access API (Incubator)

Thanks to everyone who contributed to JDK 14, whether by creating 
features or enhancements, logging  bugs, or downloading and testing the 
early-access builds.


OpenJDK 15 EA build 14 is now available at http://jdk.java.net/15 *
*

 * These early access, open source builds are provided under the GNU
   General Public License, version 2, with the Classpath Exception
   .
 * Significant changes since the last availability email:
 o Build 13 - JDK-8238555
   : Allow
   Initialization of SunPKCS11 with NSS when there are external
   FIPS modules in the NSSDB
 o Build 10 - JDK-8237776
   : Shenandoah:
   Wrong result with Lucene test
 + Reported by Apache Lucene.
 o Build 9 - JDK-8222793
   : Javadoc tool
   ignores "-locale" param and uses default locale for all messages
   and texts
 + Reported by Apache Lucene.

Project Metropolis Early-Access Builds - Build 14-metropolis+1-17 
 (2020/3/5)


 * These builds are intended for developers looking to test and provide
   feedback on using /Graal,/ in form of native library
   /(libjvmcicompiler.so)/, instead of C2 as HotSpot high optimizing
   JIT compiler.
 * These early-access builds are provided under the GNU General Public
   License, version 2, with the Classpath Exception
   .
 * Please send feedback via e-mail to metropolis-...@openjdk.java.net
   . To send e-mail to this
   address you must first subscribe to the mailing list
   .


Regards,
Rory

[1] https://mail.openjdk.java.net/pipermail/jdk-dev/2020-March/004089.html
[2] https://openjdk.java.net/projects/jdk/14

--
Rgds, Rory O'Donnell
Quality Engineering Manager
Oracle EMEA, Dublin, Ireland

[jira] [Comment Edited] (TIKA-3074) Vulnerable "woodstox-core" is present inside Tika 1.23

2020-03-18 Thread Abhishek Chauhan (Jira) 


[ 
https://issues.apache.org/jira/browse/TIKA-3074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17061411#comment-17061411
 ] 

Abhishek Chauhan edited comment on TIKA-3074 at 3/18/20, 7:02 AM:
--

Thank you [~tallison] for your reply.

I have created an issue at cxf https://issues.apache.org/jira/browse/CXF-8245 
and linked this issue with it.


was (Author: abchauha):
Thank you [~tallison] for your reply.

I will open the issue and link it to this issue, would you please share the URL 
which may allow me to create an issue at cxf.

> Vulnerable "woodstox-core" is present inside Tika 1.23
> --
>
> Key: TIKA-3074
> URL: https://issues.apache.org/jira/browse/TIKA-3074
> Project: Tika
>  Issue Type: Bug
>Reporter: Abhishek Chauhan
>Priority: Major
>
> *Short Description:*  woodstox-core is a transitive dependency of Apache 
> Tika. Checked the pom inside tika-app-1.23.jar, it seems that it is 
> internally using 5.0.3 version of woodstox-core, which is vulnerable.
> *Root Cause :* tika-app-1.23.jar; com/ctc/wstx/sax/WstxSAXParserFactory.class 
> : [5.0.1 , 5.3.0]
> *Vulnerability*: The woodstox-core package is vulnerable to Improper 
> Restriction ofXML eXternal Entity [XXE] Reference. The setFeature and 
> getFeature methods in WstxSAXParserFactory.class rely on the 
> mSecureProcessing boolean value to be able to securely parse input XML. The 
> boolean value, however, is set to false by default. Additionally, the class 
> lacks support for properties XMLConstants.FEATURE_SECURE_PROCESSING and 
> XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, which can make it possible 
> for an attacker to conduct XXE attacks.
> This vulnerability is addressed in the issue 
> [https://github.com/FasterXML/woodstox/issues/61] 
> *Solution of the Vulnerability*: Issue 
> [https://github.com/FasterXML/woodstox/issues/61] is fixed in version 5.3.0 
> of woodstox-core. Tika may need to upgrade the version of  this dependency, 
> so consumers are not affected by transitive dependency.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)