Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.17
    • Component/s: None
    • Labels:
      None

      Activity

      Hide
      hudson Hudson added a comment -

      SUCCESS: Integrated in Jenkins build Tika-trunk #1391 (See https://builds.apache.org/job/Tika-trunk/1391/)
      TIKA-2504 exclude dependency on old vfs2 to remove vulnerability from (tallison: https://github.com/apache/tika/commit/7d83b86c9d3e7a749c0dd2adb52325c35fb99c51)

      • (edit) tika-parsers/pom.xml
      Show
      hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Tika-trunk #1391 (See https://builds.apache.org/job/Tika-trunk/1391/ ) TIKA-2504 exclude dependency on old vfs2 to remove vulnerability from (tallison: https://github.com/apache/tika/commit/7d83b86c9d3e7a749c0dd2adb52325c35fb99c51 ) (edit) tika-parsers/pom.xml
      Hide
      tallison@mitre.org Tim Allison added a comment -

      Thank you Nick Burch for the input!

      Show
      tallison@mitre.org Tim Allison added a comment - Thank you Nick Burch for the input!
      Hide
      tallison@mitre.org Tim Allison added a comment -

      Thank you! Ha, right, I checked that the unit tests pass, but...famous last words.

      Show
      tallison@mitre.org Tim Allison added a comment - Thank you! Ha, right, I checked that the unit tests pass, but...famous last words.
      Hide
      gagravarr Nick Burch added a comment -

      I don't believe we're using the VFS support in JUnRAR, as we're detecting the filetype directly (not via VFS) then calling to the RAR classes directly (not via VFS)

      So, I think we should be fine to exclude it, especially if the RAR-related unit tests still pass afterwards!

      Show
      gagravarr Nick Burch added a comment - I don't believe we're using the VFS support in JUnRAR, as we're detecting the filetype directly (not via VFS) then calling to the RAR classes directly (not via VFS) So, I think we should be fine to exclude it, especially if the RAR-related unit tests still pass afterwards!
      Hide
      tallison@mitre.org Tim Allison added a comment - - edited

      Luis Filipe Nassif or Nick Burch, vfs2 is an optional dependency for the RARParser. The version of vfs2 that is optional is bringing along the vulnerable plexus-utils. Do we need vfs2 at all? If we do can we exclude it from junrar, and then add back 2.2, which doesn't require plexus-utils?

      Show
      tallison@mitre.org Tim Allison added a comment - - edited Luis Filipe Nassif or Nick Burch , vfs2 is an optional dependency for the RARParser. The version of vfs2 that is optional is bringing along the vulnerable plexus-utils. Do we need vfs2 at all? If we do can we exclude it from junrar, and then add back 2.2, which doesn't require plexus-utils?

        People

        • Assignee:
          Unassigned
          Reporter:
          tallison@mitre.org Tim Allison
        • Votes:
          0 Vote for this issue
          Watchers:
          3 Start watching this issue

          Dates

          • Created:
            Updated:
            Resolved:

            Development