[jira] [Commented] (TIKA-3232) security vulnerability in dependencies

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (TIKA-3232) security vulnerability in dependencies

Steve Loughran (Jira)

    [ https://issues.apache.org/jira/browse/TIKA-3232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17235768#comment-17235768 ]

Shayne Grant commented on TIKA-3232:
------------------------------------

This is great news, thanks for the quick reply!  I will check back to obtain Tika 1.25

> security vulnerability in dependencies
> --------------------------------------
>
>                 Key: TIKA-3232
>                 URL: https://issues.apache.org/jira/browse/TIKA-3232
>             Project: Tika
>          Issue Type: Bug
>    Affects Versions: 1.24.1
>            Reporter: Shayne Grant
>            Assignee: Tim Allison
>            Priority: Major
>             Fix For: 1.25
>
>
> Our team runs BlackDuck to find security vulnerabilities and Tika 1.24.1 was flagged in a recent scan for two libraries that it includes.  Here is information about the two libraries which have vulnerabilities and have been recently patched which Tika needs to upgrade to:
>  
> Apache HttpClient v4.5.12
> The recommendation is to upgrade 4.5.13.  I cannot find a CVE number however the BlackDuck tool has pointed to the following changeset that was made in the 4.5.13 version that addresses the vulnerability
> [https://github.com/apache/httpcomponents-client/commit/e628b4c5c464c2fa346385596cc78e035a91a62e]
>  
> jackson-databind 2.10.3
> The recommendation is to upgrade to 2.11.3.  The issue was CVE-2020-25649



--
This message was sent by Atlassian Jira
(v8.3.4#803005)