Yes, yes it does. I haven't gotten around to getting on my soapbox again, but users of Tika should expect that parsers will misbehave and crash/oom/take forever.
We still want to fix problems when we know about them. Parsing is dangerous. https://cwiki.apache.org/confluence/display/TIKA/The+Robustness+of+Apache+Tika On Wed, Oct 11, 2023 at 11:00 AM Josh Burchard <[email protected]> wrote: > Question on this one. If we're running Tika server in watchdog+forked > child mode does that somewhat mitigate the problem if we happen to feed > Tika one of these malformed tar files? -Josh > > > > ----- Original message ----- > From: "Tim Allison" <[email protected]> > To: "Tika User" <[email protected]>, "<[email protected]>" < > [email protected]> > Cc: > Subject: [EXTERNAL] 2.9.1 release? > Date: Wed, Oct 11, 2023 10:25 AM > > Unless there are objections, I'll kick off the 2.9.1 regression tests > shortly. I just cherry-picked TIKA-4153 into 2.x...will be interesting to > see how that works. > > Best, > > Tim > > On Tue, Oct 10, 2023 at 1:37 PM Tim Allison <[email protected]> wrote: > > All, > Nandita's email didn't go through for some reason. > Seems reasonable to kick off a 2.9.1 release cycle? What do you think? > > Best, > > Tim > > > > *From:* Nandita Mohan > *Sent:* Monday, October 9, 2023 3:41 PM > *To:* [email protected] > *Subject:* Requesting Tika Server release: commons-compress vulnerability > > > > Hi there, > > > > I work on a service which needs to upgrade our images due to this > vulnerability in Apache *commons-compress*: Apache Commons Compress > denial of service vulnerability · CVE-2023-42503 · GitHub Advisory Database > <https://github.com/advisories/GHSA-cgwf-w82q-5jrr> > > > > This is due to use of Tika Server 2.9.0 (Apache Tika – Apache Tika 1.27 > <https://tika.apache.org/2.9.0/index.html>), which has commons-compress > as a dependency. I saw that Tim Allison recently updated this* > commons-compress* version in the Github mirror repo: TIKA-4123 -- general > updates for 3.0.0-BETA -- upgrade commons-compress · apache/tika@3c88246 > (github.com) > <https://github.com/apache/tika/commit/3c882460838c818ab2aff310d1fba9a084fe4800> > > > > We would greatly appreciate if this could be released to tika-server > package in the next week , so we can update our images soon from this > vulnerability. > > > > Thanks, > > Nandita Mohan > > >
