[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM
[ https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17466817#comment-17466817 ] ASF GitHub Bot commented on TIKA-3488: -- arend-von-reinersdorff commented on pull request #468: URL: https://github.com/apache/tika/pull/468#issuecomment-1002972265 @lewismc Thanks for upgrading the rome dependency :-) They sure were quick with version 1.18.0 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tika.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Security issue XXE in TIKA due to JDOM > -- > > Key: TIKA-3488 > URL: https://issues.apache.org/jira/browse/TIKA-3488 > Project: Tika > Issue Type: Task > Components: tika-server >Affects Versions: 1.25 >Reporter: Arvind Jagtap >Assignee: Lewis John McGibbney >Priority: Major > Fix For: 2.2.1 > > > Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck > Hub has reported this vulnerability CVE-2021-33813 with more detail on the > following page. > [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705] > Although the following issue is entered, it is not yet fixed and there is no > timeline given. > https://github.com/hunterhacker/jdom/issues/189 > There are some workaround discussed on this issue. Can this be fixed in TIKA > in the meanwhile? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM
[ https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17466681#comment-17466681 ] Lewis John McGibbney commented on TIKA-3488: This was fixed in https://github.com/apache/tika/pull/469 > Security issue XXE in TIKA due to JDOM > -- > > Key: TIKA-3488 > URL: https://issues.apache.org/jira/browse/TIKA-3488 > Project: Tika > Issue Type: Task > Components: tika-server >Affects Versions: 1.25 >Reporter: Arvind Jagtap >Assignee: Lewis John McGibbney >Priority: Major > Fix For: 2.2.1 > > > Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck > Hub has reported this vulnerability CVE-2021-33813 with more detail on the > following page. > [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705] > Although the following issue is entered, it is not yet fixed and there is no > timeline given. > https://github.com/hunterhacker/jdom/issues/189 > There are some workaround discussed on this issue. Can this be fixed in TIKA > in the meanwhile? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM
[ https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17466679#comment-17466679 ] ASF GitHub Bot commented on TIKA-3488: -- lewismc closed pull request #468: URL: https://github.com/apache/tika/pull/468 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tika.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Security issue XXE in TIKA due to JDOM > -- > > Key: TIKA-3488 > URL: https://issues.apache.org/jira/browse/TIKA-3488 > Project: Tika > Issue Type: Task > Components: tika-server >Affects Versions: 1.25 >Reporter: Arvind Jagtap >Priority: Major > > Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck > Hub has reported this vulnerability CVE-2021-33813 with more detail on the > following page. > [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705] > Although the following issue is entered, it is not yet fixed and there is no > timeline given. > https://github.com/hunterhacker/jdom/issues/189 > There are some workaround discussed on this issue. Can this be fixed in TIKA > in the meanwhile? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM
[ https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17466678#comment-17466678 ] ASF GitHub Bot commented on TIKA-3488: -- lewismc commented on pull request #468: URL: https://github.com/apache/tika/pull/468#issuecomment-1002868509 Hi @arend-von-reinersdorff I didn't see this before my apologies. This is superseded by #469 Thank you so much for the contribution. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tika.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Security issue XXE in TIKA due to JDOM > -- > > Key: TIKA-3488 > URL: https://issues.apache.org/jira/browse/TIKA-3488 > Project: Tika > Issue Type: Task > Components: tika-server >Affects Versions: 1.25 >Reporter: Arvind Jagtap >Priority: Major > > Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck > Hub has reported this vulnerability CVE-2021-33813 with more detail on the > following page. > [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705] > Although the following issue is entered, it is not yet fixed and there is no > timeline given. > https://github.com/hunterhacker/jdom/issues/189 > There are some workaround discussed on this issue. Can this be fixed in TIKA > in the meanwhile? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM
[ https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17465474#comment-17465474 ] ASF GitHub Bot commented on TIKA-3488: -- arend-von-reinersdorff opened a new pull request #468: URL: https://github.com/apache/tika/pull/468 To update transitive dependency jdom2 to version 2.0.6.1 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tika.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Security issue XXE in TIKA due to JDOM > -- > > Key: TIKA-3488 > URL: https://issues.apache.org/jira/browse/TIKA-3488 > Project: Tika > Issue Type: Task > Components: tika-server >Affects Versions: 1.25 >Reporter: Arvind Jagtap >Priority: Major > > Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck > Hub has reported this vulnerability CVE-2021-33813 with more detail on the > following page. > [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705] > Although the following issue is entered, it is not yet fixed and there is no > timeline given. > https://github.com/hunterhacker/jdom/issues/189 > There are some workaround discussed on this issue. Can this be fixed in TIKA > in the meanwhile? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM
[ https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17455265#comment-17455265 ] Tim Allison commented on TIKA-3488: --- Updated version of jdom2 is now available. :) > Security issue XXE in TIKA due to JDOM > -- > > Key: TIKA-3488 > URL: https://issues.apache.org/jira/browse/TIKA-3488 > Project: Tika > Issue Type: Bug > Components: tika-server >Affects Versions: 1.25 >Reporter: Arvind Jagtap >Priority: Major > > Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck > Hub has reported this vulnerability CVE-2021-33813 with more detail on the > following page. > [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705] > Although the following issue is entered, it is not yet fixed and there is no > timeline given. > https://github.com/hunterhacker/jdom/issues/189 > There are some workaround discussed on this issue. Can this be fixed in TIKA > in the meanwhile? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM
[ https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17447675#comment-17447675 ] Hudson commented on TIKA-3488: -- SUCCESS: Integrated in Jenkins build Tika » tika-main-jdk8 #366 (See [https://ci-builds.apache.org/job/Tika/job/tika-main-jdk8/366/]) TIKA-3488 -- ignore jdom2 cve warnings until there is a fix available (tallison: [https://github.com/apache/tika/commit/9bcc24b4de1ab9289f2e3197c8ad94ac5851d90c]) * (edit) tika-parsers/tika-parsers-ml/tika-parser-nlp-module/pom.xml > Security issue XXE in TIKA due to JDOM > -- > > Key: TIKA-3488 > URL: https://issues.apache.org/jira/browse/TIKA-3488 > Project: Tika > Issue Type: Bug > Components: tika-server >Affects Versions: 1.25 >Reporter: Arvind Jagtap >Priority: Major > > Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck > Hub has reported this vulnerability CVE-2021-33813 with more detail on the > following page. > [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705] > Although the following issue is entered, it is not yet fixed and there is no > timeline given. > https://github.com/hunterhacker/jdom/issues/189 > There are some workaround discussed on this issue. Can this be fixed in TIKA > in the meanwhile? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM
[ https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17406822#comment-17406822 ] Hudson commented on TIKA-3488: -- FAILURE: Integrated in Jenkins build Tika » tika-main-jdk8 #322 (See [https://ci-builds.apache.org/job/Tika/job/tika-main-jdk8/322/]) TIKA-3488 -- exclude dependency on jdom2 in the FeedParser. See: https://github.com/hunterhacker/jdom/issues/189 (tallison: [https://github.com/apache/tika/commit/235d916c4ef163567db125a9f597cab3de82e0c5]) * (edit) tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-news-module/src/main/java/org/apache/tika/parser/feed/FeedParser.java * (edit) tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-news-module/pom.xml TIKA-3488 -- exclude dependency on jdom2 in the FeedParser. See: https://github.com/hunterhacker/jdom/issues/189 (tallison: [https://github.com/apache/tika/commit/4c1c675565026585ade55268255de077af055d52]) * (edit) tika-bundles/tika-bundle-standard/pom.xml TIKA-3488 -- revert to include jdom2 (tallison: [https://github.com/apache/tika/commit/fe6f33ee0b61c09d30c46229ea020ad20328d29f]) * (edit) tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-news-module/src/main/java/org/apache/tika/parser/feed/FeedParser.java * (edit) tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-news-module/pom.xml * (edit) tika-bundles/tika-bundle-standard/pom.xml > Security issue XXE in TIKA due to JDOM > -- > > Key: TIKA-3488 > URL: https://issues.apache.org/jira/browse/TIKA-3488 > Project: Tika > Issue Type: Bug > Components: tika-server >Affects Versions: 1.25 >Reporter: Arvind Jagtap >Priority: Major > > Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck > Hub has reported this vulnerability CVE-2021-33813 with more detail on the > following page. > [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705] > Although the following issue is entered, it is not yet fixed and there is no > timeline given. > https://github.com/hunterhacker/jdom/issues/189 > There are some workaround discussed on this issue. Can this be fixed in TIKA > in the meanwhile? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM
[ https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17406783#comment-17406783 ] Tim Allison commented on TIKA-3488: --- This is wrong. Even if you build a standard w3c DOM/Document, rome converts it to a jdom2 document. Argh reverting. > Security issue XXE in TIKA due to JDOM > -- > > Key: TIKA-3488 > URL: https://issues.apache.org/jira/browse/TIKA-3488 > Project: Tika > Issue Type: Bug > Components: tika-server >Affects Versions: 1.25 >Reporter: Arvind Jagtap >Priority: Major > > Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck > Hub has reported this vulnerability CVE-2021-33813 with more detail on the > following page. > [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705] > Although the following issue is entered, it is not yet fixed and there is no > timeline given. > https://github.com/hunterhacker/jdom/issues/189 > There are some workaround discussed on this issue. Can this be fixed in TIKA > in the meanwhile? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM
[ https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17406769#comment-17406769 ] Tim Allison commented on TIKA-3488: --- Turns out we can exclude jdom2 for Rome and just build a standard DOM/Document with our usual and (hopefully) secure methods. Let's do that. I'm not sure how to exclude it from grib safely... > Security issue XXE in TIKA due to JDOM > -- > > Key: TIKA-3488 > URL: https://issues.apache.org/jira/browse/TIKA-3488 > Project: Tika > Issue Type: Bug > Components: tika-server >Affects Versions: 1.25 >Reporter: Arvind Jagtap >Priority: Major > > Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck > Hub has reported this vulnerability CVE-2021-33813 with more detail on the > following page. > [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705] > Although the following issue is entered, it is not yet fixed and there is no > timeline given. > https://github.com/hunterhacker/jdom/issues/189 > There are some workaround discussed on this issue. Can this be fixed in TIKA > in the meanwhile? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM
[ https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17388050#comment-17388050 ] Tim Allison commented on TIKA-3488: --- I dug a bit more into rome which we just updated, and they are now correctly following the directions: bq: builder.setExpandEntities(false) then JDOM won't expand entities. So, I think we're set for rome. > Security issue XXE in TIKA due to JDOM > -- > > Key: TIKA-3488 > URL: https://issues.apache.org/jira/browse/TIKA-3488 > Project: Tika > Issue Type: Bug > Components: tika-server >Affects Versions: 1.25 >Reporter: Arvind Jagtap >Priority: Major > > Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck > Hub has reported this vulnerability CVE-2021-33813 with more detail on the > following page. > [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705] > Although the following issue is entered, it is not yet fixed and there is no > timeline given. > https://github.com/hunterhacker/jdom/issues/189 > There are some workaround discussed on this issue. Can this be fixed in TIKA > in the meanwhile? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM
[ https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17388047#comment-17388047 ] Tim Allison commented on TIKA-3488: --- We appear to use jdom2 in two parsers: rome (FeedParser) and ucar. It looks like we can mitigate this in rome by loading the jdom2 document ourselves[1]. I don't see that there's anything we can do in ucar, but if anyone has any recs, let me know. If you're using tika 2.x and don't need the scientific parsers, then you'll be all set with the tika-parsers-standard. This was one of the reasons for modularization! :D [1] https://github.com/hunterhacker/jdom/issues/189#issuecomment-867933052 > Security issue XXE in TIKA due to JDOM > -- > > Key: TIKA-3488 > URL: https://issues.apache.org/jira/browse/TIKA-3488 > Project: Tika > Issue Type: Bug > Components: tika-server >Affects Versions: 1.25 >Reporter: Arvind Jagtap >Priority: Major > > Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck > Hub has reported this vulnerability CVE-2021-33813 with more detail on the > following page. > [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705] > Although the following issue is entered, it is not yet fixed and there is no > timeline given. > https://github.com/hunterhacker/jdom/issues/189 > There are some workaround discussed on this issue. Can this be fixed in TIKA > in the meanwhile? -- This message was sent by Atlassian Jira (v8.3.4#803005)