Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Bump tika-core from 1.10 to 1.18 #13

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Security] Bump tika-core from 1.10 to 1.18 #13

wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link

Bumps tika-core from 1.10 to 1.18. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Sonatype OSS Index.

[CVE-2018-1338] Resource Management Errors
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.

Affected versions: <= 1.13.0; = 1.14.0; = 1.15.0; = 1.16.0; = 1.17.0

Sourced from The Sonatype OSS Index.

[CVE-2018-1335] Improper Neutralization of Special Elements used in a Command (Command Injection)
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.

Affected versions: <= 1.13.0; = 1.14.0; = 1.15.0; = 1.16.0; = 1.17.0

Sourced from The Sonatype OSS Index.

[CVE-2018-1339] Resource Management Errors
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.

Affected versions: <= 1.13.0; = 1.14.0; = 1.15.0; = 1.16.0; = 1.17.0

Sourced from The Sonatype OSS Index.

[CVE-2016-6809] Deserialization of Untrusted Data
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.

Affected versions: <= 1.13.0

Changelog

Sourced from tika-core's changelog.

Release 2.0.0 - ???
BREAKING CHANGES in 2.0.0

  • Remove deprecated Metadata keys/properties (TIKA-1974).

Other changes

Release 1.19 ???

  • Add absolute timeout to ForkParser rather than testing
    for active (TIKA-2656).

  • Make the RecursiveParserWrapper work with the ForkParser (TIKA-2655).

  • Allow the ForkParser to specify a directory containing tika-app.jar
    for use by the ForkServer. This allows users to keep most of the
    parser dependencies out of their code; and it allows for an easy
    addition of optional jars for Parser dependencies,
    such as the xerial sqlite jar (TIKA-2653).

  • Use a pool for SAXParsers and DOMBuilders rather than creating
    a new parser/builder for every parse.
    For better performance, set XMLReaderUtils.setPoolSize() to the
    number of threads you're using with Tika (TIKA-2645).

  • Add the RecursiveParserWrapperHandler to improve the RecursiveParserWrapper
    API slightly (TIKA-2644).

  • Improve output from Boilerpipe extracted text, by adding in missing
    whitespace and removing inappropriate new-lines (TIKA-2683).

Release 1.18 - 4/20/2018

  • Upgrade jackson to 2.9.5 (TIKA-2634).

  • Add support for brotli (TIKA-2621).

  • Upgrade PDFBox to 2.0.9 and include new jbig2-imageio
    from org.apache.pdfbox (TIKA-2579 and TIKA-2607).

  • Support for TIFF images in PDF files (TIKA-2338)

  • Detection of full encrypted 7z files (TIKA-2568)

  • Various new mimes and typo fixes in tika-mimetypes.xml
    via Andreas Meier (TIKA-2527).

  • Revert to listenForAllRecords=false in ExcelExtractor
    via Grigoriy Alekseev (TIKA-2590)

... (truncated)
Commits
  • 38ff2a9 [maven-release-plugin] prepare release 1.18-rc3
  • 24cd176 update CHANGES.txt in prep for RC3
  • 15410ed roll back to 1.18-SNAPSHOT in prep for RC3
  • e84d0d5 TIKA-2635 -- require that user specify path for imagemagick on windows to avo...
  • c68994f fix broken build on *nix caused by recent fixes; improve documentation; ensur...
  • 85b2504 Merge remote-tracking branch 'origin/branch_1x' into branch_1x
  • a8b41d3 TIKA-2634 upgrade Jackson to 2.9.5
  • bb7adac TIKA-2634 upgrade Jackson to 2.9.5
  • a39b325 [maven-release-plugin] prepare for next development iteration
  • 1203862 [maven-release-plugin] prepare release 1.18-rc2
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

@dependabot-support
[Security] Bump tika-core from 1.10 to 1.18
033a195 
Bumps [tika-core](https://github.com/apache/tika) from 1.10 to 1.18. **This update includes security fixes.**
- [Release notes](https://github.com/apache/tika/releases)
- [Changelog](https://github.com/apache/tika/blob/master/CHANGES.txt)
- [Commits](apache/tika@1.10...1.18)

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot-preview dependabot-preview bot added dependencies security Pull requests that address a security vulnerability labels Aug 29, 2018
@dependabot-preview dependabot-preview bot force-pushed the dependabot/maven/org.apache.tika-tika-core-1.18 branch from e6bdced to 033a195 Compare August 29, 2018 20:54
@dependabot-preview
Copy link
Author

A newer version of org.apache.tika:tika-core exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dependabot-support