[jira] [Commented] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs

Fri, 28 Oct 2022 04:51:09 -0700 


    [ 
https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17625641#comment-17625641
 ] 

Felix Sperling commented on TIKA-3906:
--------------------------------------

[~tallison] Thank you so much. That was superfast :D

Looks good:
{code:java}
$ docker ps
CONTAINER ID   IMAGE                 COMMAND                  CREATED         
STATUS         PORTS      NAMES
10f66f029aef   apache/tika:2.5.0.1   "/bin/sh -c 'exec ja…"   6 seconds ago   
Up 5 seconds   9998/tcp   serene_rosalind

$ docker exec -ti 10f66f029aef /bin/bash
root@10f66f029aef:/# dpkg -l | grep -E "perl|zlib"
ii  perl-base                     5.34.0-3ubuntu1.1                       amd64 
       minimal Perl system
ii  zlib1g:amd64                  1:1.2.11.dfsg-2ubuntu9.2                amd64 
       compression library - runtime {code}

> Build a new version of the Tika docker image to fix CVEs
> --------------------------------------------------------
>
>                 Key: TIKA-3906
>                 URL: https://issues.apache.org/jira/browse/TIKA-3906
>             Project: Tika
>          Issue Type: Bug
>          Components: docker
>    Affects Versions: 2.5.0
>            Reporter: Felix Sperling
>            Priority: Major
>
> Please rebuild and release a new version of the 2.5.0 docker image.
> The current one contains CVEs which have fixes already in the jammy repos.
> h2. zlib
> *_Note:_* _Versions mentioned in the description apply to the upstream 
> {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant 
> versions._
> zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in 
> inflate in inflate.c via a large gzip header extra field. NOTE: only 
> applications that call inflateGetHeader are affected. Some common 
> applications bundle the affected zlib source code but may be unable to call 
> inflateGetHeader (e.g., see the nodejs/node reference).
> h2. Remediation
> Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or 
> higher.
>  
> h2. perl
> *_Note:_* _Versions mentioned in the description apply to the upstream 
> {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant 
> versions._
> CPAN 2.28 allows Signature Verification Bypass.
> h2. Remediation
> Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to