Unless there are objections, I'll kick off the 2.9.1 regression tests
shortly. I just cherry-picked TIKA-4153 into 2.x...will be interesting to
see how that works.
Best,
Tim
On Tue, Oct 10, 2023 at 1:37 PM Tim Allison <talli...@apache.org> wrote:
> All,
> Nandita's email didn't go through for some reason.
> Seems reasonable to kick off a 2.9.1 release cycle? What do you think?
>
> Best,
>
> Tim
>
>
>
> *From:* Nandita Mohan
> *Sent:* Monday, October 9, 2023 3:41 PM
> *To:* user@tika.apache.org
> *Subject:* Requesting Tika Server release: commons-compress vulnerability
>
>
>
> Hi there,
>
>
>
> I work on a service which needs to upgrade our images due to this
> vulnerability in Apache *commons-compress*: Apache Commons Compress
> denial of service vulnerability · CVE-2023-42503 · GitHub Advisory Database
> <https://github.com/advisories/GHSA-cgwf-w82q-5jrr>
>
>
>
> This is due to use of Tika Server 2.9.0 (Apache Tika – Apache Tika 1.27
> <https://tika.apache.org/2.9.0/index.html>), which has commons-compress
> as a dependency. I saw that Tim Allison recently updated this*
> commons-compress* version in the Github mirror repo: TIKA-4123 -- general
> updates for 3.0.0-BETA -- upgrade commons-compress · apache/tika@3c88246
> (github.com)
> <https://github.com/apache/tika/commit/3c882460838c818ab2aff310d1fba9a084fe4800>
>
>
>
> We would greatly appreciate if this could be released to tika-server
> package in the next week , so we can update our images soon from this
> vulnerability.
>
>
>
> Thanks,
>
> Nandita Mohan
>
