Thank you for the background, Julian! I personally don't have objections to merging this into our 1.x branch. As you already know, 1.x is EOL, and there won't be a public release.
Again, as you know, I do worry about anyone being stuck on 1.x. This PR fixes one vulnerability, but there are probably many, many others, including at least these: https://tika.apache.org/security.html Fellow devs, any objections to merging this into branch_1x? On Wed, Dec 10, 2025 at 10:28 AM Julian Reschke <[email protected]> wrote: > On 2025/12/10 14:23:42 "reschke (via GitHub)" wrote: > > > > reschke opened a new pull request, #2437: > > URL: https://github.com/apache/tika/pull/2437 > > > > This is a Proof Of Concept how to address CVE-2025-66516 in Tika > 1.8.25 (for those who can't upgrade immediately). > > > > It backports the associated changes from the main branch. > > > > (Merge is not expected but of course would be great) > > ... > > Clarifying... > > Jackrabbit Oak is currently stuck with Tika 1.x due to the SLF4J (2.x) > dependency (where the upgrade is not entirely trivial due to > incompatible changes). > > We understand that the Tika project does not support ancient/EOLd > versions. In fact, that's exactly what the Jackrabbit team did with our > latest vulnerability. But I guess we have fewer users. > > So the PR is meant as something where people who need this for 1.x can > look/check/discuss. > > We do not expect a merge into the actual Tika 1.x branch, but of course > that would make life easier for us, even if no public release happens. > > (And yes, if this approach works, we of course should do it for 2.x as > well). > > Best regards, Julian >
