----- Original message -----
From: "Tim Allison" <talli...@apache.org>
To: "Tika User" <user@tika.apache.org>, "<d...@tika.apache.org>" <d...@tika.apache.org>
Cc:
Subject: [EXTERNAL] 2.9.1 release?
Date: Wed, Oct 11, 2023 10:25 AM
Unless there are objections, I'll kick off the 2.9.1 regression tests shortly. I just cherry-picked TIKA-4153 into 2.x...will be interesting to see how that works.Best,Tim
On Tue, Oct 10, 2023 at 1:37 PM Tim Allison <talli...@apache.org> wrote:All,Nandita's email didn't go through for some reason.Seems reasonable to kick off a 2.9.1 release cycle? What do you think?Best,Tim
From: Nandita Mohan
Sent: Monday, October 9, 2023 3:41 PM
To: user@tika.apache.org
Subject: Requesting Tika Server release: commons-compress vulnerability
Hi there,
I work on a service which needs to upgrade our images due to this vulnerability in Apache commons-compress: Apache Commons Compress denial of service vulnerability · CVE-2023-42503 · GitHub Advisory Database
This is due to use of Tika Server 2.9.0 (Apache Tika – Apache Tika 1.27), which has commons-compress as a dependency. I saw that Tim Allison recently updated this commons-compress version in the Github mirror repo: TIKA-4123 -- general updates for 3.0.0-BETA -- upgrade commons-compress · apache/tika@3c88246 (github.com)
We would greatly appreciate if this could be released to tika-server package in the next week , so we can update our images soon from this vulnerability.
Thanks,
Nandita Mohan
smime.p7s
Description: S/MIME Cryptographic Signature
