tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Allison (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (TIKA-2878) Update dependencies for 1.22
Date Mon, 12 Aug 2019 18:01:00 GMT

    [ https://issues.apache.org/jira/browse/TIKA-2878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16905432#comment-16905432
] 

Tim Allison edited comment on TIKA-2878 at 8/12/19 6:00 PM:
------------------------------------------------------------

Hi [~tmortagne], we receive quite a few reports about out of date and vulnerable dependencies,
and we are constantly striving to keep everything up to date. We've had to upgrade ASM fairly
recently to be compatible with modern versions of Java.  I don't know enough about ASM to
know if this beta version will break things -- outside of our unit and large scale regression
tests.  If this is causing a problem for you, we can revert that upgrade.

 We run {{mvn versions:display-dependency-updates}} before our releases to make sure that
everything is up to date.  If we don't see any regressions or disastrous incompatibilities,
we make the upgrades.

If you'd like to help us develop a policy for updates (e.g. don't include *-beta unless a
non-beta doesn't exist, e.g. deeplearning4j) or if you'd like to open PRs to help us keep
everything up to date, please do chip in!


was (Author: tallison@mitre.org):
Hi [~tmortagne], we receive quite a few reports about out of date and vulnerable dependencies,
and we are constantly striving to keep everything up to date.  We run {{mvn versions:display-dependency-updates}}
before our releases to make sure that everything is up to date.  If we don't see any regressions
or disastrous incompatibilities, we make the upgrades.

If you'd like to help us develop a policy for updates (e.g. don't include *-beta unless a
non-beta doesn't exist, e.g. deeplearning4j) or if you'd like to open PRs to help us keep
everything up to date, please do chip in!

> Update dependencies for 1.22
> ----------------------------
>
>                 Key: TIKA-2878
>                 URL: https://issues.apache.org/jira/browse/TIKA-2878
>             Project: Tika
>          Issue Type: Task
>            Reporter: Tim Allison
>            Priority: Major
>         Attachments: dependency-check-report.html, dependency_tree.txt, pom.xml
>
>
> And in the category of "stuff you can't make up"...while generating the javadocs for
the 1.21 release:
> We're now getting this inĀ {{tika-parsers}}:
> {noformat}
>   c3p0:c3p0:jar:0.9.1.1:compile; https://ossindex.sonatype.org/component/pkg:maven/c3p0/c3p0@0.9.1.1
>     * [CVE-2019-5427]  Resource Management Errors (7.5); https://ossindex.sonatype.org/vuln/d25f4c21-9e76-4fc2-9d73-3770aa3aec56
> {noformat}
> and in {{tika-server}}:
> {noformat}
>     * [CVE-2019-10247]  Information Exposure (5.3); https://ossindex.sonatype.org/vuln/47ad4d7e-b9c3-414f-9bfa-1dfaa92b0aba
>     * [CVE-2019-10241]  Improper Neutralization of Input During Web Page Generation ("Cross-site
Scripting") (6.1); https://ossindex.sonatype.org/vuln/970aece8-4a1d-4a9e-ab97-0982b13dac4d
>   org.eclipse.jetty:jetty-server:jar:9.4.14.v20181114:compile; https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/jetty-server@9.4.14.v20181114
>     * [CVE-2019-10247]  Information Exposure (5.3); https://ossindex.sonatype.org/vuln/47ad4d7e-b9c3-414f-9bfa-1dfaa92b0aba
>     * [CVE-2019-10241]  Improper Neutralization of Input During Web Page Generation ("Cross-site
Scripting") (6.1); https://ossindex.sonatype.org/vuln/970aece8-4a1d-4a9e-ab97-0982b13dac4d
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Mime
View raw message