[jira] [Created] (TIKA-2854) upgrade out-of-date dependencies with outstanding CVEs

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Created] (TIKA-2854) upgrade out-of-date dependencies with outstanding CVEs

JIRA jira@apache.org
Andrew Pavlin created TIKA-2854:

             Summary: upgrade out-of-date dependencies with outstanding CVEs
                 Key: TIKA-2854
                 URL: https://issues.apache.org/jira/browse/TIKA-2854
             Project: Tika
          Issue Type: Bug
          Components: languageidentifier, parser
    Affects Versions: 1.20
            Reporter: Andrew Pavlin

Besides the libraries reported in TIKA-2801 and TIKA-2835, the following 4th party dependencies are out-of-date and should be upgraded to the latest versions. The first three have outstanding CVEs which would be resolved by using the newer versions of those dependencies.

jackson-databind (is 2.9.7, should be 2.9.8)

guava (is 17.0, should be 27.0)

sqlite-jdbc (is 3.25.2, should be

No current CVEs but still out-of-date:

Apache commons-codec (is 1.11, should be 1.12)

Apache CXF (is 3.2.7, should be 3.3.1)

Apache httpcomponents (is 4.5.6, should be 4.5.8)

Apache james mime4j (is 0.8.2, should be 0.8.3)

Apache opennlp-tools (is 1.9.0, should be 1.9.1)

parso (is 2.0.10, should beĀ  2.0.11)



jackcess (is 2.1.12, should be 3.0.0)

jackcess-encrypt (is 2.1.4, should be 3.0.0)

org.osgi.compendium (is 4.0.0, should be 5.0.0)

org.osgi.core (is 4.0.0, should be 6.0.0)

junrar (is 2.0.0, should be 4.0.0)

java-libpst (is 0.8.1, should be 0.9.3)

jna (is 5.1.0, should be 5.2.0)

Bouncy Castle bcprov and bcmail (is 1.60, should be 1.61)

slf4j-log4j12 (is 1.7.25, should be 1.7.26)

UCAR cdm (is 4.5.5, should be 5.0.0)

UCAR grib (is 4.5.5, should be 8.0.0)

UCAR httpservices (is 4.5.5, should be 4.6.7)

UCAR netcdf4 (incorrectly labeled as 4.5.5, should be 4.3.22)

bndlib (is 1.50.0, should be 4.2.0)

This message was sent by Atlassian JIRA