Thank you, Konstantin! On Mon, Dec 11, 2023 at 2:22 PM Konstantin Gribov <[email protected]> wrote:
> Hi, folks. > > All the checksums and PGP signatures seem fine to me. > > Just built Tika 3.0.0-BETA successfully with OpenJDK 17 (Temurin 17.0.9+9) > on ArchLinux w/ Tesseract 5.3.3-1 and 1.83.1-1. > > It seems that solr-solrj 8.11.2 dependency in Solr Emitter brought > vulnerable logback-core 1.4.13 [1, 2] transitively via Zookeeper > dependency. Downstream user will likely either exclude Logback or use a > bare tika-emitter-solr jar alongside tika-server/tika-app. > > Even if user brings tika-emitter-solr with Maven, Gradle or another > dependency management solution with transitive dependencies to > successfully exploit CVE-2023-6481/CVE-2023-6378 user have to configure > receiver [3] to accept logs from remote systems AFICT. > > So, I say +1 and think that CVE-2023-6481 should be mentioned in the > announcement with note that if downstream project make use of Logback > centralized logging via receivers that may be vulnerable to this DoS attack. > > [1]: > https://ossindex.sonatype.org/vulnerability/CVE-2023-6481?component-type=maven&component-name=ch.qos.logback%2Flogback-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 > [2]: https://logback.qos.ch/news.html#1.3.14 > [3]: https://logback.qos.ch/manual/receivers.html > > -- > Best regards, > Konstantin Gribov. > > > On Mon, Dec 11, 2023 at 5:47 PM Tim Allison <[email protected]> wrote: > >> All, >> We have two +1s. We need another +1 for the release. If a fellow dev has >> the time to vote, please do! Thank you. >> >> Best, >> >> Tim >> >> On Wed, Dec 6, 2023 at 3:17 PM Tim Allison <[email protected]> wrote: >> >>> Oops, I forgot to include my +1 for this RC1 for 3.0.0-BETA. Would >>> another fellow dev be willing to vote? Thank you! >>> >>> On Sat, Dec 2, 2023 at 5:39 AM Tilman Hausherr <[email protected]> >>> wrote: >>> >>>> +1 >>>> >>>> successful build on german windows 10 openjdk version "21.0.1" >>>> 2023-10-17 LTS >>>> >>>> Tilman >>>> >>>> >>>> >>>> On 01.12.2023 18:25, Tim Allison wrote: >>>> > A candidate for the Tika 3.0.0-BETA release is available at: >>>> > https://dist.apache.org/repos/dist/dev/tika/3.0.0-BETA >>>> > >>>> > The release candidate is a zip archive of the sources in: >>>> > https://github.com/apache/tika/tree/3.0.0-BETA-rc1/ >>>> > >>>> > The SHA-512 checksum of the archive is >>>> > >>>> 6a98e19f73e0ccf9c902cf869fb50c0c7314231d1c83d3d84220846d6f46a3983087f6199b14c8bbc62dea54411c7f40d7cf5040efb1ce18b5fd4d61de059736. >>>> > >>>> > In addition, a staged maven repository is available here: >>>> > >>>> https://repository.apache.org/content/repositories/orgapachetika-1097/org/apache/tika >>>> > >>>> > Please vote on releasing this package as Apache Tika 3.0.0-BETA. >>>> > The vote is open for the next 72 hours and passes if a majority of at >>>> > least three +1 Tika PMC votes are cast. >>>> > >>>> > [ ] +1 Release this package as Apache Tika 3.0.0-BETA >>>> > [ ] -1 Do not release this package because.. >>>> >>>> >>>>
