Stefan Seide created TIKA-3506:
----------------------------------
Summary: please fix multipile CVE in commons-compress for
tika-parsers 1.x too
Key: TIKA-3506
URL: https://issues.apache.org/jira/browse/TIKA-3506
Project: Tika
Issue Type: Bug
Components: parser
Affects Versions: 1.27
Reporter: Stefan Seide
tika-parsers uses org.apache.commons:commons-compress as a dependency.
All versions up to 1.20 have multiple medium vulnerabilities incorrectly
handling input data. These are fixed with current version 1.21.
With tika-parsers 2.0 the new version is already used, therefore not a problem
anymore.
But older 1.x line uses the vulnerable [email protected]. Is it possible to
create a new security release for the 1.x line with this update?
An update to the newer 2.x version needs a lot more time due to the breaking
changes mentioned at the release page (at least it reads so). A new 1.x release
would held to faster fix this security problem for all.
* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090]
* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517]
* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35516]
* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35515]
Thanks,
Stefan Seide
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
