[
https://issues.apache.org/jira/browse/TIKA-3506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17390033#comment-17390033
]
Stefan Seide commented on TIKA-3506:
------------------------------------
its fine for me - as a new jdom2 release seems nearly finished (referring to
this [https://github.com/hunterhacker/jdom/issues/189).]
And many thanks for preparing a new 1.x release- its all i ask for.
> please fix multipile CVE in commons-compress for tika-parsers 1.x too
> ---------------------------------------------------------------------
>
> Key: TIKA-3506
> URL: https://issues.apache.org/jira/browse/TIKA-3506
> Project: Tika
> Issue Type: Bug
> Components: parser
> Affects Versions: 1.27
> Reporter: Stefan Seide
> Priority: Major
> Labels: security
>
> tika-parsers uses org.apache.commons:commons-compress as a dependency.
> All versions up to 1.20 have multiple medium vulnerabilities incorrectly
> handling input data. These are fixed with current version 1.21.
> With tika-parsers 2.0 the new version is already used, therefore not a
> problem anymore.
> But older 1.x line uses the vulnerable [email protected]. Is it possible
> to create a new security release for the 1.x line with this update?
> An update to the newer 2.x version needs a lot more time due to the breaking
> changes mentioned at the release page (at least it reads so). A new 1.x
> release would held to faster fix this security problem for all.
> * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090]
> * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517]
> * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35516]
> * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35515]
> Thanks,
> Stefan Seide
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
