Hi Slava, You're right -- we will upgrade PDFBox soon and roll a release of Tika within a week or so. I haven't looked closely at the PDFBox vulnerability, but I _think_ the current one isn't a problem for Tika users, but, right, we'll be upgrading and releasing soon.
I'm not currently aware of any vulnerabilities in Tika's XML parsers. We implemented the DRY approach that PDFBox just did as part of our last fixes to XML vulnerabilities. AFAIK, all of our XML parsing is done through XMLReaderUtils which is hardened against XML vulnerabilities. See: https://tika.apache.org/security.html If you find any problems or vulnerabilities, please let us know via our [email protected] list. Thank you. Best, Tim On Fri, Apr 12, 2019 at 1:47 AM Slava G <[email protected]> wrote: > Hi, > There was topic in the pdfbox mailing list that explains this CVE , and > they recommended to migrate to pdfbox 2.0.15 and I knew that new Tika will > be released somewhere soon with this new PDFBox. > But what about TIKA XML parsers (not related to PDF) is this CVE also > presented in them ? If yes what is mitigation ? > > Thanks >
