Thanks, Team for your reply.
There are few things that we need your input/suggestion,
- As you said in the earlier mail that is it possible to provide the tika-server-standard-2.9.5.jar file compiled with checksum information which is needed for us to keep track of the tika jars in our repository as a private build.
- If you are building tika 2.9.5 as an un-official build, is it compiled using Java 1.8 as we have dependency on that with our old release which support Java 1.8 only.
- Is it possible to download pdfbox jar and do a mere replacement instead of doing the maven build say replacing only class files that supposed to be needed for pdfbox code with the newer version. Your suggestion on this and its feasibility to do so. If that possible, can you please provide the link to download pdfbox jar and its checksum details.
- Can you confirm that pdfbox 2.0.35 as per the recent code change for the vulnerability fix in 2.x code stream is that has any dependency on Java version higher than 1.8.
Please note that we are using the Tika in our Domino product older versions as well of which it has Java dependency of 1.8. So, we are looking for one of the best solutions to address this vulnerability issue fixed to our customers who are running with Java 1.8 with Tika 2.x in their environment.
As I mentioned earlier that we cannot compile the Tika 2.9.5 in our build environment and we have to stick to Tika 2.9.x for our older releases which supports Java 1.8 not higher. So, we are looking for your great support on this to resolve with best optimal solution.
Thanks & Regards,
Saravanan B
----- Original message -----
From: "Tilman Hausherr" <[email protected]>
To: [email protected]
Subject: Re: Tika compilation error branch_2x
Date: Mon, Oct 13, 2025 12:48 PM
- [CAUTION: This email is from outside the organization. Unless you trust the sender, don't click links or open attachments as it may be a phishing email, which can steal your information and compromise your computer.]
Hi,Re (3) no, this isn't possible. Our builds do load external libraries. Which means that (2) also isn't possible.Re (4), what I could do is to set the tika2 build job on our ci back up so you'd get a snapshot build. However this would use the latest versions of the external libraries, and thus you would have to use the complete server jar. And this isn't something "official".The better solution would be to update to 3.* instead of spending work time on such weird workarounds. The risk of supply chain attacks (indirectly mentioned in (1)) is the same when we run our builds on our ci because we still use the external libraries and these could be "evil" without us noticing. Although I haven't heard of attacks on java / maven (mostly on js and python, and the xz attack), the risk will grow in the future due to people like us getting too old / ill / senile / dead. So consider running your server in a controlled environment so that an "evil" PDF (with an "evil" XFA in it) won't be able to do anything.TilmanAm 13.10.2025 um 06:33 schrieb Saravanan Balakrishnan:Hi Tika Team,I am looking for feasible solution for your problem as we are trying to compile branch_2x which has the fix for CVE-2025-54988 PDF XXE,
- We have few restrictions on compiling in our build room, we easy way to compile only the affected class files in that branch to get the fix into our build.
- Is there are way to compile only affected folders alone and use the class files in the 2.9.4 jar file, which is released. All we need is to get that fix into 2.9.4 without full compilation.
- When we compile tika-server-standard does it download dependent jar/class files while compiling as our build system doesn't have external access to download dependent files if any. If you could provide some light on this to compile very minimal without downloading jars/classes.
- Is it possible to compile from your end and share it us, I mean branch_2x which creates 2.9.5.
Our customers are very keen to get this fixed ASAP. Kindly provide best possible solution to get the vulnerability fix for 2.x release.We appreciate your valuable time and response.Regards,Saravanan B
