Hi Tim, I saw that this release candidate contains the fixing commit for CVE- 2022-30126 [1], is this correct?
I am a bit confused, as this release candidate seem to also contain a commit that is that is neither in main nor in 2.4.0: https://github.com/apache/tika/commit/8d765906183296906466afa4e61ebcad059a813c Is this part of the fix for CVE-2022-30126, or is it unrelated? Why is this only in the 1.x branch? Thank you for your help! Kind regards, Cathy Hu [1] https://github.com/apache/tika/commit/a36711610fa1f6f5ba0f594803415af795e0b265 On Mon, 2022-05-23 at 10:20 -0400, Tim Allison wrote: > A candidate for the Tika 1.28.3 release is available at: > https://dist.apache.org/repos/dist/dev/tika/1.28.3 > > The release candidate is a zip archive of the sources in: > https://github.com/apache/tika/tree/1.28.3-rc1/ > > The SHA-512 checksum of the archive is > > 1d4c57f2e63e82285e3b5a492ffcee7039c33f2406df6c484ca32bbf0371747c1bfc5 > 220b8bc8932ff985d430a1cce50de86c51ff0366ee599923dab6cad2ede. > > In addition, a staged maven repository is available here: > > https://repository.apache.org/content/repositories/orgapachetika-1086/org/apache/tika > > Please vote on releasing this package as Apache Tika 1.28.3. > The vote is open for the next 72 hours and passes if a majority of at > least three +1 Tika PMC votes are cast. > > [ ] +1 Release this package as Apache Tika 1.28.3 > [ ] -1 Do not release this package because... > > Here's my +1. > > Best, > > Tim > -- Cathy Hu <[email protected]> Security Engineer GPG: 5873 CFD1 8C0E A6D4 9CBB F6C4 062A 1016 1505 A08A SUSE Software Solutions Germany GmbH Frankenstrasse 146 90461 Nürnberg Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman (HRB 36809, AG Nürnberg)
signature.asc
Description: This is a digitally signed message part
