[
https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17625033#comment-17625033
]
Tim Allison commented on TIKA-3906:
-----------------------------------
[~fsperling] and fellow devs, how do we handle versioning docker images? Do we
just overwrite 2.5.0 or do we need something like a
<tika-version>.<imageversion> like 2.5.0.1?
> Build a new version of the Tika docker image to fix CVEs
> --------------------------------------------------------
>
> Key: TIKA-3906
> URL: https://issues.apache.org/jira/browse/TIKA-3906
> Project: Tika
> Issue Type: Bug
> Components: docker
> Affects Versions: 2.5.0
> Reporter: Felix Sperling
> Priority: Major
>
> Please rebuild and release a new version of the 2.5.0 docker image.
> The current one contains CVEs which have fixes already in the jammy repos.
> h2. zlib
> *_Note:_* _Versions mentioned in the description apply to the upstream
> {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant
> versions._
> zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in
> inflate in inflate.c via a large gzip header extra field. NOTE: only
> applications that call inflateGetHeader are affected. Some common
> applications bundle the affected zlib source code but may be unable to call
> inflateGetHeader (e.g., see the nodejs/node reference).
> h2. Remediation
> Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or
> higher.
>
> h2. perl
> *_Note:_* _Versions mentioned in the description apply to the upstream
> {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant
> versions._
> CPAN 2.28 allows Signature Verification Bypass.
> h2. Remediation
> Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
