Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.20
-
None
Description
Besides the libraries reported in TIKA-2801 and TIKA-2835, the following 4th party dependencies are out-of-date and should be upgraded to the latest versions. The first three have outstanding CVEs which would be resolved by using the newer versions of those dependencies.
jackson-databind (is 2.9.7, should be 2.9.8)
guava (is 17.0, should be 27.0)
sqlite-jdbc (is 3.25.2, should be 3.27.2.1)
No current CVEs but still out-of-date:
Apache commons-codec (is 1.11, should be 1.12)
Apache CXF (is 3.2.7, should be 3.3.1)
Apache httpcomponents (is 4.5.6, should be 4.5.8)
Apache james mime4j (is 0.8.2, should be 0.8.3)
Apache opennlp-tools (is 1.9.0, should be 1.9.1)
parso (is 2.0.10, should beĀ 2.0.11)
jackson-annotations
jackson-core
jackcess (is 2.1.12, should be 3.0.0)
jackcess-encrypt (is 2.1.4, should be 3.0.0)
org.osgi.compendium (is 4.0.0, should be 5.0.0)
org.osgi.core (is 4.0.0, should be 6.0.0)
junrar (is 2.0.0, should be 4.0.0)
java-libpst (is 0.8.1, should be 0.9.3)
jna (is 5.1.0, should be 5.2.0)
Bouncy Castle bcprov and bcmail (is 1.60, should be 1.61)
slf4j-log4j12 (is 1.7.25, should be 1.7.26)
UCAR cdm (is 4.5.5, should be 5.0.0)
UCAR grib (is 4.5.5, should be 8.0.0)
UCAR httpservices (is 4.5.5, should be 4.6.7)
UCAR netcdf4 (incorrectly labeled as 4.5.5, should be 4.3.22)
bndlib (is 1.50.0, should be 4.2.0)
Attachments
Issue Links
- duplicates
-
TIKA-2804 Blanket dependency upgrades for next release cycle
-
- Closed
-
- is duplicated by
-
-
- Closed
-
-
TIKA-2824 General dependency/plugin upgrades for next release
-
- Resolved
-
- is related to
-
-
- Resolved
-