On 2025/12/10 14:23:42 "reschke (via GitHub)" wrote:
reschke opened a new pull request, #2437:
URL: https://github.com/apache/tika/pull/2437
This is a Proof Of Concept how to address CVE-2025-66516 in Tika 1.8.25 (for
those who can't upgrade immediately).
It backports the associated changes from the main branch.
(Merge is not expected but of course would be great)
...
Clarifying...
Jackrabbit Oak is currently stuck with Tika 1.x due to the SLF4J (2.x)
dependency (where the upgrade is not entirely trivial due to
incompatible changes).
We understand that the Tika project does not support ancient/EOLd
versions. In fact, that's exactly what the Jackrabbit team did with our
latest vulnerability. But I guess we have fewer users.
So the PR is meant as something where people who need this for 1.x can
look/check/discuss.
We do not expect a merge into the actual Tika 1.x branch, but of course
that would make life easier for us, even if no public release happens.
(And yes, if this approach works, we of course should do it for 2.x as
well).
Best regards, Julian
