Re: Tika compilation error branch_2x

Tue, 14 Oct 2025 04:47:12 -0700 

Hi,
Re (3) no, this isn't possible. Our builds do load external libraries. Which means that (2) also isn't possible. 


Re (4), what I could do is to set the tika2 build job on our ci back up 
so you'd get a snapshot build. However this would use the latest 
versions of the external libraries, and thus you would have to use the 
complete server jar. And this isn't something "official".



The better solution would be to update to 3.* instead of spending work 
time on such weird workarounds. The risk of supply chain attacks 
(indirectly mentioned in (1)) is the same when we run our builds on our 
ci because we still use the external libraries and these could be "evil" 
without us noticing. Although I haven't heard of attacks on java / maven 
(mostly on js and python, and the xz attack), the risk will grow in the 
future due to people like us getting too old / ill / senile / dead. So 
consider running your server in a controlled environment so that an 
"evil" PDF (with an "evil" XFA in it) won't be able to do anything.


https://tika.apache.org/security-model.html

Tilman

Am 13.10.2025 um 06:33 schrieb Saravanan Balakrishnan:

Hi Tika Team,

I am looking for feasible solution for your problem as we are trying 
to compile branch_2x which has the fix for CVE-2025-54988 PDF XXE,


 1. We have few restrictions on compiling in our build room, we easy
    way to compile only the affected class files in that branch to get
    the fix into our build.
 2. Is there are way to compile only affected folders alone and use
    the class files in the 2.9.4 jar file, which is released. All we
    need is to get that fix into 2.9.4 without full compilation.
 3.  When we compile tika-server-standard does it download dependent
    jar/class files while compiling as our build system doesn't have
    external access to download dependent files if any. If you could
    provide some light on this to compile very minimal without
    downloading jars/classes.
 4. Is it possible to compile from your end and share it us, I mean
    branch_2x which creates 2.9.5.


Our customers are very keen to get this fixed ASAP. Kindly provide 
best possible solution to get the vulnerability fix for 2.x release.

We appreciate your valuable time and response.
Regards,
Saravanan B
























					Reply via email to