srujana-kuntumalla opened a new pull request, #2893: URL: https://github.com/apache/tika/pull/2893
## Summary Fixes CVE-2026-2332 — an HTTP/1.1 request smuggling vulnerability (CVSS **9.1 Critical**) in Jetty's chunk-extension parser. Jetty terminates chunk-extension parsing at `\r\n` inside quoted strings instead of treating it as an error, allowing attackers to inject smuggled requests without authentication. - **Affected**: Jetty 11.0.0–11.0.27 (used by Tika at 11.0.26) - **Fixed**: Jetty 11.0.28 (and 12.0.33 / 12.1.7 in newer lines) - **JIRA**: TIKA-4757 ### Changes | File | Change | |------|--------| | `tika-parent/pom.xml` | `jetty.version` + `jetty.http2.version`: `11.0.26` → `11.0.28` | | `tika-parent/pom.xml` | `javaVersion` / `maven.compiler.*` / compiler plugin `<release>`: `17` → `21` | | `tika-e2e-tests/pom.xml` | `maven.compiler.*` / compiler plugin `<release>`: `17` → `21` | | `tika-parent/pom.xml` | Removed resolved `jetty-http` ossindex exclusion; updated `http2-common` exclusion version to `11.0.28` | ### Why the Java upgrade? Jetty 11.x reached end-of-life in November 2024. The 11.0.28 patch resolves the immediate CVE, but long-term security requires migrating to Jetty 12.x. Jetty 12.1.x (the currently maintained line) requires Java 21. Bumping to Java 21 now removes that blocker and keeps the path clear for the Jetty 12 migration once the `Http2SolrClient` / SolrJ API compatibility issue is resolved (see existing comment in `tika-parent/pom.xml` and the `PipesBiDirectionalStreamingIntegrationTest` TODO). ## Test plan - [x] Verify `jetty.version` and `jetty.http2.version` are `11.0.28` in `tika-parent/pom.xml` - [x] Verify all `maven.compiler.*` and `<release>` are `21` across both pom files - [x] Confirm ossindex exclusion for `jetty-http` at `11.0.26` is removed (CVE resolved) - [ ] Full CI build to confirm no compilation regressions under Java 21 - [ ] Solr integration tests (known pre-existing blocker with `Http2SolrClient`; tracked separately) ## References - CVE-2026-2332: https://nvd.nist.gov/vuln/detail/CVE-2026-2332 - Jetty security advisory: https://github.com/jetty/jetty.project/security/advisories - Jetty 11→12 migration guide: https://jetty.org/docs/jetty/12/programming-guide/migration/11-to-12.html 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
