srujana-kuntumalla opened a new pull request, #2894: URL: https://github.com/apache/tika/pull/2894
## Summary - **CVE-2026-2332** (CVSS 9.1 Critical, CWE-444): HTTP/1.1 request smuggling via improper chunk-extension parsing in Jetty. Affects Jetty 11.0.0–11.0.26. Jetty 11.x is EOL with no backport; fix is available in Jetty 12.0.33+. - Jetty 12.0.x requires Java 17, same minimum JVM version as this project — **no Java upgrade needed**. - CXF upgrade to 4.1.7 was previously blocked on Jetty 11; it is now unblocked (CXF 4.1.x targets Jetty 12). - SolrJ upgraded to 10.0.0 because SolrJ 9 embeds Jetty 11 HTTP client APIs that conflict with Jetty 12. ## Changes | File | Change | |------|--------| | `tika-parent/pom.xml` | `jetty.version` 11.0.26 → 12.0.35; rename `http2-*` artifacts to `jetty-http2-*`; `cxf.version` 4.0.11 → 4.1.7; `solrj.version` 9.10.1 → 10.0.0 | | `tika-server/tika-server-core/pom.xml` | Use renamed `jetty-http2-server`; add `jakarta.servlet-api` 6.0.0 (Jetty 12 no longer bundles the EE9 servlet JAR) | | `SolrEmitter.java`, `SolrPipesIterator.java` | `Http2SolrClient` → `HttpJettySolrClient`, `LBHttpSolrClient` → `LBJettySolrClient` (SolrJ 10 renames) | | `tika-pipes-solr/pom.xml`, `tika-pipes-solr-integration-tests/pom.xml` | Add `solr-solrj-jetty` dependency (SolrJ 10 moved Jetty client classes to a separate module) | | `TikaPipesSolrTestBase.java` | `Http2SolrClient` → `HttpJettySolrClient` | | `PipesBiDirectionalStreamingIntegrationTest.java` | `PathResource` (removed in Jetty 12) → `ResourceHandler.setBaseResourceAsString()` | ## Known follow-up needed `LBJettySolrClient` (SolrJ 10) no longer accepts an Apache `HttpClient` instance via `withHttpClient()`. Proxy and authentication configuration previously set through `HttpClientFactory` needs to be reworked using Jetty's native HTTP client. The affected call sites are marked with `TODO` comments in `SolrEmitter.java` and `SolrPipesIterator.java`. ## Test plan - [ ] `./mvnw verify -pl tika-parent,tika-core,tika-server/tika-server-core -DskipTests` — validate POM changes compile - [ ] `./mvnw test -pl tika-pipes/tika-pipes-plugins/tika-pipes-solr` — Solr emitter/iterator unit tests - [ ] `./mvnw test -pl tika-grpc` — gRPC streaming integration test with Jetty 12 HTTP server - [ ] `./mvnw verify -pl tika-integration-tests/tika-pipes-solr-integration-tests` — Solr integration tests (requires Docker) 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
