Am 08.12.2025 um 14:01 schrieb Nicolas Garcin via user:
Thanks for your answer Tilman. Two more questions:
* When do you think 2.9.5 version will be officially released ?
Never. 2.x is over.
*
* Currently, I’m using version 1.28.5 without embedding tika-parsers
in my classpath. Am I still vulnerable ? I think answer is yes,
but if you could confirm this, that would be great.
Do you parse PDFs? Then you're vulnerable. You shouldn't use outdated
software: https://en.wikipedia.org/wiki/2017_Equifax_data_breach
Tilman
*
Regards,
Nicolas
*De :*Tilman Hausherr <[email protected]>
*Envoyé :* lundi 8 décembre 2025 10:26
*À :* [email protected]
*Objet :* Re: CVE-2025-66516 / CVE-2025-54988: Java 8 compatible fix
version ?
[EXTERNAL EMAIL]
Also
https://repository.apache.org/content/groups/snapshots/org/apache/tika/tika-app/2.9.5-SNAPSHOT/
Tilman
Am 08.12.2025 um 10:24 schrieb Tilman Hausherr:
No, but you can download an unofficial build here where this has
been fixed and which uses the latest versions of libraries.
https://repository.apache.org/content/groups/snapshots/org/apache/tika/tika-server/2.9.5-SNAPSHOT/
Tilman
Am 08.12.2025 um 09:47 schrieb Nicolas Garcin via user:
Hello,
I understand that CVE-2025-66516 / CVE-2025-54988 are fixed in
Tika 3.2.2. This is fine for the latest version of our
software which is using Java 17, but older versions of our
software are still in Java 8. Would it be possible to get a
fix compatible with Java 8 ? I understood from
https://cwiki.apache.org/confluence/display/TIKA/Tika+Roadmap+--+2.x%2C+3.x+and+Beyond
that Java 8 is not supported anymore, but knowing the
criticity of the vuln, it would be great to have a fix for
Java 8 as well.
Thanks and Regards,
Nicolas
