Hi, folks. All the checksums and PGP signatures seem fine to me.
Just built Tika 3.0.0-BETA successfully with OpenJDK 17 (Temurin 17.0.9+9) on ArchLinux w/ Tesseract 5.3.3-1 and 1.83.1-1. It seems that solr-solrj 8.11.2 dependency in Solr Emitter brought vulnerable logback-core 1.4.13 [1, 2] transitively via Zookeeper dependency. Downstream user will likely either exclude Logback or use a bare tika-emitter-solr jar alongside tika-server/tika-app. Even if user brings tika-emitter-solr with Maven, Gradle or another dependency management solution with transitive dependencies to successfully exploit CVE-2023-6481/CVE-2023-6378 user have to configure receiver [3] to accept logs from remote systems AFICT. So, I say +1 and think that CVE-2023-6481 should be mentioned in the announcement with note that if downstream project make use of Logback centralized logging via receivers that may be vulnerable to this DoS attack. [1]: https://ossindex.sonatype.org/vulnerability/CVE-2023-6481?component-type=maven&component-name=ch.qos.logback%2Flogback-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 [2]: https://logback.qos.ch/news.html#1.3.14 [3]: https://logback.qos.ch/manual/receivers.html -- Best regards, Konstantin Gribov. On Mon, Dec 11, 2023 at 5:47 PM Tim Allison <[email protected]> wrote: > All, > We have two +1s. We need another +1 for the release. If a fellow dev has > the time to vote, please do! Thank you. > > Best, > > Tim > > On Wed, Dec 6, 2023 at 3:17 PM Tim Allison <[email protected]> wrote: > >> Oops, I forgot to include my +1 for this RC1 for 3.0.0-BETA. Would >> another fellow dev be willing to vote? Thank you! >> >> On Sat, Dec 2, 2023 at 5:39 AM Tilman Hausherr <[email protected]> >> wrote: >> >>> +1 >>> >>> successful build on german windows 10 openjdk version "21.0.1" >>> 2023-10-17 LTS >>> >>> Tilman >>> >>> >>> >>> On 01.12.2023 18:25, Tim Allison wrote: >>> > A candidate for the Tika 3.0.0-BETA release is available at: >>> > https://dist.apache.org/repos/dist/dev/tika/3.0.0-BETA >>> > >>> > The release candidate is a zip archive of the sources in: >>> > https://github.com/apache/tika/tree/3.0.0-BETA-rc1/ >>> > >>> > The SHA-512 checksum of the archive is >>> > >>> 6a98e19f73e0ccf9c902cf869fb50c0c7314231d1c83d3d84220846d6f46a3983087f6199b14c8bbc62dea54411c7f40d7cf5040efb1ce18b5fd4d61de059736. >>> > >>> > In addition, a staged maven repository is available here: >>> > >>> https://repository.apache.org/content/repositories/orgapachetika-1097/org/apache/tika >>> > >>> > Please vote on releasing this package as Apache Tika 3.0.0-BETA. >>> > The vote is open for the next 72 hours and passes if a majority of at >>> > least three +1 Tika PMC votes are cast. >>> > >>> > [ ] +1 Release this package as Apache Tika 3.0.0-BETA >>> > [ ] -1 Do not release this package because.. >>> >>> >>>
