Bug#825501: CVE-2016-4434

2018-01-18 Thread Faidon Liambotis 
On Thu, Jan 18, 2018 at 10:36:24PM +0100, Salvatore Bonaccorso wrote:
> > > That link says:
> > >   Versions Affected: 
> > >   Apache Tika 0.10 to 1.12
> > > 
> > > So perhaps 1.5 isn't affected after all? I tried to find the relevant
> > > commit in the upstream git but failed :(
> > 
> > Commit 
> > https://github.com/apache/tika/commit/f444fd784b99b181cd7bd54cdec9fbd132b4ef93
> > in 1.17 added a test case, so this might be related to changes in Xerces/J
> > which are possibly bundled by Tika downloads? Might be worth clarifying with
> > Tim Allison .
> 
> Above, you said "so perhaps 1.5 isn't affected after all?". But why
> this conclusion? 1.5 as currently in unstable and oldstable present
> falls within the affected range of 0.15 and 1.12.

s/0.15/0.10/ in what you said just above, but yes, you're obviously
right and I misread the range. Apologies for the confusion -- I guess I
was too enthusiastic in trying to figure out an easy way out of this :)

> So yes, maybe Tim Allison can help identify which are the required
> commits, but best course might just to try to update to the newest
> upstream version for unstable.

Indeed! (but note that I'm not the maintainer)

Thanks,
Faidon

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#825501: CVE-2016-4434

2018-01-18 Thread Salvatore Bonaccorso 
Hi Faidon,

On Fri, Jan 12, 2018 at 07:54:58PM +0100, Moritz Muehlenhoff wrote:
> On Thu, Jan 11, 2018 at 02:03:23PM +0200, Faidon Liambotis wrote:
> > On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote:
> > > please see http://seclists.org/oss-sec/2016/q2/413  for details.
> > 
> > That link says:
> >   Versions Affected: 
> >   Apache Tika 0.10 to 1.12
> > 
> > So perhaps 1.5 isn't affected after all? I tried to find the relevant
> > commit in the upstream git but failed :(
> 
> Commit 
> https://github.com/apache/tika/commit/f444fd784b99b181cd7bd54cdec9fbd132b4ef93
> in 1.17 added a test case, so this might be related to changes in Xerces/J
> which are possibly bundled by Tika downloads? Might be worth clarifying with
> Tim Allison .

Above, you said "so perhaps 1.5 isn't affected after all?". But why
this conclusion? 1.5 as currently in unstable and oldstable present
falls within the affected range of 0.15 and 1.12.

The issue is claimed to be fixed in upstream 1.13 (and as Moritz
pointed out a test was added. Comparing commits between 1.12 and 1.13
I was unable to isolate the relevant commit(s), but there are some
touching the code for "OOXML files and XMP in PDF and other file
formats".

So yes, maybe Tim Allison can help identify which are the required
commits, but best course might just to try to update to the newest
upstream version for unstable.

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#825501: CVE-2016-4434

2018-01-12 Thread Moritz Muehlenhoff 
On Thu, Jan 11, 2018 at 02:03:23PM +0200, Faidon Liambotis wrote:
> On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote:
> > please see http://seclists.org/oss-sec/2016/q2/413  for details.
> 
> That link says:
>   Versions Affected: 
>   Apache Tika 0.10 to 1.12
> 
> So perhaps 1.5 isn't affected after all? I tried to find the relevant
> commit in the upstream git but failed :(

Commit 
https://github.com/apache/tika/commit/f444fd784b99b181cd7bd54cdec9fbd132b4ef93
in 1.17 added a test case, so this might be related to changes in Xerces/J
which are possibly bundled by Tika downloads? Might be worth clarifying with
Tim Allison .

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#825501: CVE-2016-4434

2018-01-11 Thread Faidon Liambotis 
On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote:
> please see http://seclists.org/oss-sec/2016/q2/413  for details.

That link says:
  Versions Affected: 
  Apache Tika 0.10 to 1.12

So perhaps 1.5 isn't affected after all? I tried to find the relevant
commit in the upstream git but failed :(

Regards,
Faidon

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#825501: CVE-2016-4434

2016-05-27 Thread Emmanuel Bourg 
Thank you for the notice Moritz. Tika isn't really used in Debian yet, I
packaged it as a dependency of Apache JMeter but didn't enable it. I'll
fix it in unstable, but I don't think it's worth fixing in Jessie.

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#825501: CVE-2016-4434

2016-05-27 Thread Moritz Muehlenhoff 
Source: tika
Severity: grave
Tags: security

Hi,
please see http://seclists.org/oss-sec/2016/q2/413  for details.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.