Uploaded image for project: 'Tika'
  1. Tika
  2. TIKA-2854

upgrade out-of-date dependencies with outstanding CVEs

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.20
    • Fix Version/s: 1.21
    • Component/s: languageidentifier, parser
    • Labels:
      None

      Description

      Besides the libraries reported in TIKA-2801 and TIKA-2835, the following 4th party dependencies are out-of-date and should be upgraded to the latest versions. The first three have outstanding CVEs which would be resolved by using the newer versions of those dependencies.

      jackson-databind (is 2.9.7, should be 2.9.8)

      guava (is 17.0, should be 27.0)

      sqlite-jdbc (is 3.25.2, should be 3.27.2.1)

      No current CVEs but still out-of-date:

      Apache commons-codec (is 1.11, should be 1.12)

      Apache CXF (is 3.2.7, should be 3.3.1)

      Apache httpcomponents (is 4.5.6, should be 4.5.8)

      Apache james mime4j (is 0.8.2, should be 0.8.3)

      Apache opennlp-tools (is 1.9.0, should be 1.9.1)

      parso (is 2.0.10, should beĀ  2.0.11)

      jackson-annotations

      jackson-core

      jackcess (is 2.1.12, should be 3.0.0)

      jackcess-encrypt (is 2.1.4, should be 3.0.0)

      org.osgi.compendium (is 4.0.0, should be 5.0.0)

      org.osgi.core (is 4.0.0, should be 6.0.0)

      junrar (is 2.0.0, should be 4.0.0)

      java-libpst (is 0.8.1, should be 0.9.3)

      jna (is 5.1.0, should be 5.2.0)

      Bouncy Castle bcprov and bcmail (is 1.60, should be 1.61)

      slf4j-log4j12 (is 1.7.25, should be 1.7.26)

      UCAR cdm (is 4.5.5, should be 5.0.0)

      UCAR grib (is 4.5.5, should be 8.0.0)

      UCAR httpservices (is 4.5.5, should be 4.6.7)

      UCAR netcdf4 (incorrectly labeled as 4.5.5, should be 4.3.22)

      bndlib (is 1.50.0, should be 4.2.0)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                oracle.apavlin Andrew Pavlin
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: