[TIKA-3506] please fix multipile CVE in commons-compress for tika-parsers 1.x too - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 1.27
Fix Version/s: None
Component/s: parser
Labels:
- security

Description

tika-parsers uses org.apache.commons:commons-compress as a dependency.

All versions up to 1.20 have multiple medium vulnerabilities incorrectly handling input data. These are fixed with current version 1.21.

With tika-parsers 2.0 the new version is already used, therefore not a problem anymore.

But older 1.x line uses the vulnerable commons-compress@1.20. Is it possible to create a new security release for the 1.x line with this update?

An update to the newer 2.x version needs a lot more time due to the breaking changes mentioned at the release page (at least it reads so). A new 1.x release would held to faster fix this security problem for all.

Thanks,

Stefan Seide

Attachments

Issue Links

is related to

TIKA-3492 Upgrade version for TPS: rome to 1.16.0 in tika-bundle

Resolved

TIKA-3601 Update JSoup to fix CVE-2021-37714

Closed

TIKA-3488 Security issue XXE in TIKA due to JDOM

Resolved

relates to

TIKA-3613 General upgrades for 1.27.1

Open

Activity

People

Assignee:: Unassigned

Reporter:: Stefan Seide

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 29/Jul/21 10:08

Updated:: 08/Dec/21 14:22