All,
I was recently asked offline about this CVE which affects jetty 11.0.24,
the current version in our 3.x branch. This was my response. Please let me
know if there's a better option.
"jetty 12.x requires Java 17, cxf >= 4.1.0 requires Java 17. The fastest
fix would be for a bugfix release of jetty 11.0.25 in Tika's 3.x. We don't
have plans for an immediate 4.x release...that is vaguely slated for April
(in Open Source Standard Time), which is probably a ways off.
Are you actually concerned about the parser differential vulnerability or
is this just to stop the vuln scanners from complaining?
In short, I'd ask the jetty project if they plan an 11.0.25 release with
a fix for that vuln. Once they do that, then we can make a 3.x release
fairly quickly (couple of weeks to a month).
I'm sorry there isn't a simpler solution."
Best,
Tim
