We do not plan to make another 2.x release. Please see this link for mitigations: https://lists.apache.org/thread/ymw9kkh94kvw0s6plwvjrp577sl1wbp8
On Mon, Sep 29, 2025 at 12:28 PM Saravanan Balakrishnan < [email protected]> wrote: > Thanks a lot for the reply. Are there any changes/plan to release Tika 2.x > release with this (CVE-2025-54988) fix like 2.9.5. > > Regards, > Saravanan B > > > ----- Original message ----- > From: "Tilman Hausherr" <[email protected]> > To: [email protected] > Subject: Re: Security fix CVE-2025-54988 port to Tika 2.9.4 > Date: Fri, Sep 26, 2025 3:24 PM > > > - [CAUTION: This email is from outside the organization. Unless you > trust the sender, don't click links or open attachments as it may be a > phishing email, which can steal your information and compromise your > computer.] > > > > Update to 3.2.3. Or are you asking for the specific commit because you > want to stay with 2.* ? In that later case, the 2.* repository branch > contains the fix, but there won't be a 2.9.4 release. But you can download > the source and build locally. > > https://github.com/apache/tika/tree/branch_2x > > Tilman > > Am 25.09.2025 um 15:37 schrieb Saravanan Balakrishnan: > > Hello All, > We are running into a problem that fix for CVE-2025-54988 is went in Tika > 3.2.2 and we have a limitation to upgrade Tika 3.2.2 in our product's > earlier version. Kindly look for feasibility to port fix for > "CVE-2025-54988" which went in Tika 3.2.2 in Tika 2.9.4 would be great. > > Thanks in advance. > > Regards, > Saravanan B > > > > >
