Re: [ANNOUNCE] Apache Tika 2.2.1 released

Fri, 07 Jan 2022 10:15:45 -0800 

I'm frankly, personally, not motivated to roll a new release for
log4j2 2.17.1 because the vulnerability, IMO, is not a real
vulnerability...if someone has access to your logging config file,
you've got far larger issues.

However, it does look like there are some new problems with iworks
detection and maybe processing.  Once we fix those and/or figure out
what's fixable, then I think we should roll a Tika 2.2.2 with log4j
2.17.1 and those updates.

I'd be grateful for any help getting POI 5.x to work in our osgi
bundle so that we can upgrade to that asap.

Fellow devs, what do you think?

Best,

       Tim

On Fri, Jan 7, 2022 at 11:17 AM Josh Burchard <[email protected]> wrote:
>
> I see that now https://logging.apache.org/log4j/2.x/security.html states that 
> vulnerabilities exist in all versions up to Log4j 2.17.0, so the 
> recommendation is to use 2.17.1.  Is there a plan to spin another Tika 
> release that uses 2.17.1?
>
>
>
>
> From:        "Tim Allison" <[email protected]>
> To:        [email protected], "<[email protected]>" 
> <[email protected]>, [email protected]
> Date:        12/23/2021 03:27 PM
> Subject:        [ANNOUNCE] Apache Tika 2.2.1 released
> ________________________________
>
>
>
> The Apache Tika project is pleased to announce the release of Apache
> Tika 2.2.1. The release contents have been pushed out to the main
> Apache release site and to the Maven Central sync.
>
> Apache Tika is a toolkit for detecting and extracting metadata and
> structured text content from various documents using existing parser
> libraries.
>
> Apache Tika 2.2.1 contains an upgrade to log4j2 2.17.0, a
> critical fix to an OOXML parser regression that was introduced
> in 2.2.0, and upgrades to other dependencies.  Details can be found
> in the changes file:
> https://www.apache.org/dist/tika/2.2.1/CHANGES-2.2.1.txt
>
> Apache Tika is available on the download page:
> https://tika.apache.org/download.html
>
> Apache Tika is also available in binary form or for use using Maven 2
> from the Central Repository:
> https://repo1.maven.org/maven2/org/apache/tika/
>
> When downloading, please remember to verify the downloads using
> signatures found: https://www.apache.org/dist/tika/KEYS
>
> For more information on Apache Tika, visit the project home page:
> https://tika.apache.org/
>
> -- Tim Allison, on behalf of the Apache Tika community
>
>

Reply via email to