It's a fair point you make about the config file, Tim. Personally I'll be waiting for 2.2.2 because if we ship with a Tika server that has potential vulnerabilities, no matter how unlikely they are to be exploited on our customers' systems, I inevitably have to answer a bunch of support questions and calm their fears. The less of that there is, the better, IMHO. 2.2.2 also has a nice ring to it. ;-)
From: "Tim Allison" <[email protected]> To: [email protected], "<[email protected]>" <[email protected]> Date: 01/07/2022 01:15 PM Subject: Re: [ANNOUNCE] Apache Tika 2.2.1 released I'm frankly, personally, not motivated to roll a new release for log4j2 2.17.1 because the vulnerability, IMO, is not a real vulnerability...if someone has access to your logging config file, you've got far larger issues. However, it does look like there are some new problems with iworks detection and maybe processing. Once we fix those and/or figure out what's fixable, then I think we should roll a Tika 2.2.2 with log4j 2.17.1 and those updates. I'd be grateful for any help getting POI 5.x to work in our osgi bundle so that we can upgrade to that asap. Fellow devs, what do you think? Best, Tim On Fri, Jan 7, 2022 at 11:17 AM Josh Burchard <[email protected]> wrote: > > I see that now https://logging.apache.org/log4j/2.x/security.html states that vulnerabilities exist in all versions up to Log4j 2.17.0, so the recommendation is to use 2.17.1. Is there a plan to spin another Tika release that uses 2.17.1? > > > > > From: "Tim Allison" <[email protected]> > To: [email protected], "<[email protected]>" <[email protected]>, [email protected] > Date: 12/23/2021 03:27 PM > Subject: [ANNOUNCE] Apache Tika 2.2.1 released > ________________________________ > > > > The Apache Tika project is pleased to announce the release of Apache > Tika 2.2.1. The release contents have been pushed out to the main > Apache release site and to the Maven Central sync. > > Apache Tika is a toolkit for detecting and extracting metadata and > structured text content from various documents using existing parser > libraries. > > Apache Tika 2.2.1 contains an upgrade to log4j2 2.17.0, a > critical fix to an OOXML parser regression that was introduced > in 2.2.0, and upgrades to other dependencies. Details can be found > in the changes file: > https://www.apache.org/dist/tika/2.2.1/CHANGES-2.2.1.txt > > Apache Tika is available on the download page: > https://tika.apache.org/download.html > > Apache Tika is also available in binary form or for use using Maven 2 > from the Central Repository: > https://repo1.maven.org/maven2/org/apache/tika/ > > When downloading, please remember to verify the downloads using > signatures found: https://www.apache.org/dist/tika/KEYS > > For more information on Apache Tika, visit the project home page: > https://tika.apache.org/ > > -- Tim Allison, on behalf of the Apache Tika community > >
smime.p7s
Description: S/MIME Cryptographic Signature
