Bug#825501: CVE-2016-4434
Moritz Muehlenhoff
jmm at inutil.org
Fri Jan 12 18:54:58 UTC 2018
On Thu, Jan 11, 2018 at 02:03:23PM +0200, Faidon Liambotis wrote:
> On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote:
> > please see http://seclists.org/oss-sec/2016/q2/413 for details.
>
> That link says:
> Versions Affected:
> Apache Tika 0.10 to 1.12
>
> So perhaps 1.5 isn't affected after all? I tried to find the relevant
> commit in the upstream git but failed :(
Commit https://github.com/apache/tika/commit/f444fd784b99b181cd7bd54cdec9fbd132b4ef93
in 1.17 added a test case, so this might be related to changes in Xerces/J
which are possibly bundled by Tika downloads? Might be worth clarifying with
Tim Allison <tallison at apache.org>.
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list