Reports are here: https://corpora.tika.apache.org/base/reports/tika-2.9.1-reports.tgz
I haven't had a chance to look at them yet. :( Will take a look early Monday (ET). On Wed, Oct 11, 2023 at 10:24 AM Tim Allison <[email protected]> wrote: > Unless there are objections, I'll kick off the 2.9.1 regression tests > shortly. I just cherry-picked TIKA-4153 into 2.x...will be interesting to > see how that works. > > Best, > > Tim > > On Tue, Oct 10, 2023 at 1:37 PM Tim Allison <[email protected]> wrote: > >> All, >> Nandita's email didn't go through for some reason. >> Seems reasonable to kick off a 2.9.1 release cycle? What do you >> think? >> >> Best, >> >> Tim >> >> >> >> *From:* Nandita Mohan >> *Sent:* Monday, October 9, 2023 3:41 PM >> *To:* [email protected] >> *Subject:* Requesting Tika Server release: commons-compress vulnerability >> >> >> >> Hi there, >> >> >> >> I work on a service which needs to upgrade our images due to this >> vulnerability in Apache *commons-compress*: Apache Commons Compress >> denial of service vulnerability · CVE-2023-42503 · GitHub Advisory Database >> <https://github.com/advisories/GHSA-cgwf-w82q-5jrr> >> >> >> >> This is due to use of Tika Server 2.9.0 (Apache Tika – Apache Tika 1.27 >> <https://tika.apache.org/2.9.0/index.html>), which has commons-compress >> as a dependency. I saw that Tim Allison recently updated this* >> commons-compress* version in the Github mirror repo: TIKA-4123 -- >> general updates for 3.0.0-BETA -- upgrade commons-compress · >> apache/tika@3c88246 (github.com) >> <https://github.com/apache/tika/commit/3c882460838c818ab2aff310d1fba9a084fe4800> >> >> >> >> We would greatly appreciate if this could be released to tika-server >> package in the next week , so we can update our images soon from this >> vulnerability. >> >> >> >> Thanks, >> >> Nandita Mohan >> >
