[
https://issues.apache.org/jira/browse/TIKA-3558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17418157#comment-17418157
]
Nick Burch commented on TIKA-3558:
----------------------------------
That seems to be a vulnerability in the libflac C code, so shouldn't affect the
library we use as that's pure Java and a fresh implementation
In terms of the library not having any recent releases, generally the basics
are all there and nicely stable, but there is still more that could be
implemented if any volunteers wanted to assist!
There's improvements needed in how to map metadata from files with multiple
substreams (eg video + multiple audio), improving multi-stream detection using
Ogg Skeleton / Annodex or CMML, extracting song lyrics from Kate streams etc.
> vulnerability detected in vorbis-tika-java
> ------------------------------------------
>
> Key: TIKA-3558
> URL: https://issues.apache.org/jira/browse/TIKA-3558
> Project: Tika
> Issue Type: Bug
> Affects Versions: 1.27
> Reporter: brent jackson
> Priority: Major
>
> we recently had a user report that a security scan on tika-app-1.25
> discovered a vulernability in vorbis-tika-java. specifically:
>
> [https://nvd.nist.gov/vuln/detail/CVE-2017-6888]
> (detected on
> tika-app-1.25.jar/META-INF/maven/org.gagravarr/vorbis-java-tika/pom.xml)
>
> i checked 1.27 and the org.gagravarr classes have not been updated (they all
> date from 2016). has this vulnerability been addressed? or is it a false
> positive? thanks.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
