[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939653#comment-16939653 ] Hudson commented on TIKA-2890: -- UNSTABLE: Integrated in Jenkins build tika-branch-1x #236 (See [https://builds.apache.org/job/tika-branch-1x/236/]) TIKA-2890 -- update jackson to avoid recent CVEs (tallison: [https://github.com/apache/tika/commit/edd3d266a3a8c7bf93c4619bc4fca01e6a393092]) * (edit) tika-parent/pom.xml > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16953492#comment-16953492 ] Abhijit Rajwade commented on TIKA-2890: --- Jackson version 2.10.0 has a fix for the long standing vulnerability with global default typing / polymorphic de-serialization. Refer following links for more info https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10 Can you please upgrade to Jackson 2.10.0? > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16953694#comment-16953694 ] Tim Allison commented on TIKA-2890: --- Done. > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16953695#comment-16953695 ] Tim Allison commented on TIKA-2890: --- [~arajwade], are you using a nightly build or building locally? Is it ok if I do a blanket update before release rather than making these updates every two weeks (it feels)? Thank you for the heads up. > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16953702#comment-16953702 ] Abhijit Rajwade commented on TIKA-2890: --- Tim We are currently using Apache Tika 1.22 released version. I share the same frustration as you - the Security recommendations keep on changing daily and have to keep pace with it. Jackson 2.10.0 has a longer lasting fix for the known ploymorphic typing vulnerability / global default typing. It would be better if you update Jackson to 2.10.0 Yes you can do just before release to make sure no newer recommendation comes for Jackson, > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16953708#comment-16953708 ] Tim Allison commented on TIKA-2890: --- Great! Thank you! And, please don't take the above as frustration aimed at you, personally! We appreciate any and all feedback...the dependency maintenance on Tika is, um, interesting... :D > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16953728#comment-16953728 ] Hudson commented on TIKA-2890: -- SUCCESS: Integrated in Jenkins build Tika-trunk #1707 (See [https://builds.apache.org/job/Tika-trunk/1707/]) TIKA-2890 -- bump jackson, again. (tallison: [https://github.com/apache/tika/commit/d582b989aee6e4633ffe4bda4cce154a6e0f4db3]) * (edit) tika-parent/pom.xml > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16953732#comment-16953732 ] Hudson commented on TIKA-2890: -- FAILURE: Integrated in Jenkins build tika-branch-1x #243 (See [https://builds.apache.org/job/tika-branch-1x/243/]) TIKA-2890 -- bump jackson, again. (tallison: [https://github.com/apache/tika/commit/6493c53775b407cfe58f7e470a5a5bc9681cbb39]) * (edit) tika-parent/pom.xml > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16953959#comment-16953959 ] Tilman Hausherr commented on TIKA-2890: --- I restarted that build and this time it worked, but no mail. > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16931532#comment-16931532 ] Chad Vincent commented on TIKA-2890: Needs bumped to >2.9.9.2 now due to [https://nvd.nist.gov/vuln/detail/CVE-2019-14379] > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16937523#comment-16937523 ] gggeek commented on TIKA-2890: -- Sorry if this is already known/ fixed / not applicable, but: should we list here as well CVE-2019-0228, fixed in pdfbox 2.0.16 ? > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939514#comment-16939514 ] Tim Allison commented on TIKA-2890: --- Thank you [~gggeek], we do include that on our security page. But, good catch! https://tika.apache.org/security.html > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939515#comment-16939515 ] Tim Allison commented on TIKA-2890: --- bumping jackson now > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939580#comment-16939580 ] Hudson commented on TIKA-2890: -- FAILURE: Integrated in Jenkins build tika-2.x-windows #454 (See [https://builds.apache.org/job/tika-2.x-windows/454/]) TIKA-2890 -- update jackson to avoid recent CVEs (tallison: rev c33d5412ca1133fd80c5fa5df7d0f51e0c076293) * (edit) tika-parent/pom.xml > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939607#comment-16939607 ] Hudson commented on TIKA-2890: -- UNSTABLE: Integrated in Jenkins build Tika-trunk #1700 (See [https://builds.apache.org/job/Tika-trunk/1700/]) TIKA-2890 -- update jackson to avoid recent CVEs (tallison: [https://github.com/apache/tika/commit/c33d5412ca1133fd80c5fa5df7d0f51e0c076293]) * (edit) tika-parent/pom.xml > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
