Source: tika X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for tika. Like all Apache software, their disclosure process is a mess, so we'll need to reach out to upstream for commits/more detailed information... CVE-2022-25169[0]: | The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may | allocate an unreasonable amount of memory on carefully crafted files. https://www.openwall.com/lists/oss-security/2022/05/16/4 CVE-2022-30126[1]: | In Apache Tika, a regular expression in our StandardsText class, used | by the StandardsExtractingContentHandler could lead to a denial of | service caused by backtracking on a specially crafted file. This only | affects users who are running the StandardsExtractingContentHandler, | which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0 https://www.openwall.com/lists/oss-security/2022/05/16/3 CVE-2022-33879[2]: | The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in | the StandardsExtractingContentHandler were insufficient, and we found | a separate, new regex DoS in a different regex in the | StandardsExtractingContentHandler. These are now fixed in 1.28.4 and | 2.4.1. https://www.openwall.com/lists/oss-security/2022/06/27/5 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-25169 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25169 [1] https://security-tracker.debian.org/tracker/CVE-2022-30126 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30126 [2] https://security-tracker.debian.org/tracker/CVE-2022-33879 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33879 Please adjust the affected versions in the BTS as needed.
