Thanks Tim, I don't have specific issue, just wanted to be sure that we don't have auch vulnerability, as we parts tons of xml files daily. And not only xml, but all other formats that enters under xml parser.
Thanks again On Fri, Apr 12, 2019, 15:07 Tim Allison <[email protected]> wrote: > Hi Slava, > > You're right -- we will upgrade PDFBox soon and roll a release of Tika > within a week or so. I haven't looked closely at the PDFBox vulnerability, > but I _think_ the current one isn't a problem for Tika users, but, right, > we'll be upgrading and releasing soon. > > I'm not currently aware of any vulnerabilities in Tika's XML parsers. > We implemented the DRY approach that PDFBox just did as part of our last > fixes to XML vulnerabilities. AFAIK, all of our XML parsing is done > through XMLReaderUtils which is hardened against XML vulnerabilities. See: > https://tika.apache.org/security.html > > If you find any problems or vulnerabilities, please let us know via our > [email protected] list. Thank you. > > Best, > > Tim > > > > On Fri, Apr 12, 2019 at 1:47 AM Slava G <[email protected]> wrote: > >> Hi, >> There was topic in the pdfbox mailing list that explains this CVE , and >> they recommended to migrate to pdfbox 2.0.15 and I knew that new Tika will >> be released somewhere soon with this new PDFBox. >> But what about TIKA XML parsers (not related to PDF) is this CVE also >> presented in them ? If yes what is mitigation ? >> >> Thanks >> >
