[ https://issues.apache.org/jira/browse/OFBIZ-12572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17605354#comment-17605354 ]
ASF subversion and git services commented on OFBIZ-12572: --------------------------------------------------------- Commit 3b71d2fc3fed7d77b210c41675418d664bd06189 in ofbiz-framework's branch refs/heads/release22.01 from Deepak Dixit [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=3b71d2fc3f ] Improved: Updated apache tika library to 2.4.1 (OFBIZ-12572) (#544) Included common csv and apache cxf dependency as they were removed from tika 2.4 > [SECURITY] Upgrade Tika to 2.3.0 or more > ---------------------------------------- > > Key: OFBIZ-12572 > URL: https://issues.apache.org/jira/browse/OFBIZ-12572 > Project: OFBiz > Issue Type: Sub-task > Components: content, framework/security > Affects Versions: 18.12.06, 22.01.01 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > > Here the Tika announce: > {quote} > The Apache Tika project is pleased to announce the release of Apache > Tika 2.3.0. The release contents have been pushed out to the main > Apache release site and to the Maven Central sync. > Apache Tika is a toolkit for detecting and extracting metadata and > structured text content from various documents using existing parser > libraries. > Apache Tika 2.3.0 includes several security upgrades in dependencies, > including an upgrade to log4j2 (version 2.17.1). This release also > includes a non-trivial upgrade to Apache POI 5.2.0 (TIKA-3164); users > will observe significantly more logging from the POI parsers. > Details can be found in the changes file: > https://www.apache.org/dist/tika/2.3.0/CHANGES-2.3.0.txt > {quote} > We currently still use 1.28 version because since 2.1.0 Tika throws a lot of > compile errors. I tried to use 2.3.0 and there is much work. Fortunately we > don't rely too much on Tika. > * In security component, only to check *.svg files in > SecuredUpload::getMimeTypeFromFileName() and there is another final check in > this method. > * In content: > DataResourceWorker.getMimeTypeWithByteBuffer::getMimeTypeWithByteBuffer -- This message was sent by Atlassian Jira (v8.20.10#820010)