tika - Debian Package Tracker

general

source: tika (main)
version: 1.22-2
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Emmanuel Bourg [DMD]
arch: all
std-ver: 4.4.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 1.20-1
testing: 1.22-2
unstable: 1.22-2

versioned links

1.20-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.22-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libtika-java

action needed

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

In debian/watch no matching files for watch line
  https://github.com/apache/tika/tags .*/archive/([\d\.]+).tar.gz

Created: 2021-03-22 Last update: 2021-04-16 15:07

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2020-9489: A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
CVE-2021-28657: A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

Created: 2021-02-19 Last update: 2021-04-12 11:02

2 security issues in bullseye high

There are 2 open security issues in bullseye.

1 important issue:

CVE-2021-28657: A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

1 issue postponed or untriaged:

CVE-2020-9489: (needs triaging) A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.

Created: 2021-03-30 Last update: 2021-04-12 11:02

lintian reports 1 error and 8 warnings high

Lintian reports 1 error and 8 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-04-11 Last update: 2021-04-11 10:20

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2020-10-19 Last update: 2021-04-16 15:03

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.22-3, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 13469f2c4eef5bfcccf8bc161f0bf3b3e7300ee9
Author: tony mancill <tmancill@debian.org>
Date:   Wed Apr 14 07:49:36 2021 -0700

    interim changelog

commit 9547e56a03f15beed21b9481e5b71362e949b20b
Author: tony mancill <tmancill@debian.org>
Date:   Wed Apr 14 07:49:12 2021 -0700

    Update debian/watch for new upstream tag layout

Created: 2021-04-14 Last update: 2021-04-14 16:08

7 low-priority security issues in buster low

There are 7 open security issues in buster.

7 issues left for the package maintainer to handle:

CVE-2019-10088: (needs triaging) A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.
CVE-2019-10093: (needs triaging) In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.
CVE-2019-10094: (needs triaging) A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.
CVE-2020-1950: (needs triaging) A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23.
CVE-2020-1951: (needs triaging) A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23.
CVE-2020-9489: (needs triaging) A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
CVE-2021-28657: (needs triaging) A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-04-12 11:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.4.0).

Created: 2019-09-29 Last update: 2021-02-02 10:36

news

[rss feed]

[2021-02-07] tika 1.22-2 MIGRATED to testing (Debian testing watch)
[2021-02-02] Accepted tika 1.22-2 (source) into unstable (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2020-05-04] tika REMOVED from testing (Debian testing watch)
[2020-03-28] Accepted tika 1.5-1+deb8u1 (source all) into oldoldstable (Anton Gladky)
[2019-08-10] tika 1.22-1 MIGRATED to testing (Debian testing watch)
[2019-08-05] Accepted tika 1.22-1 (source) into unstable (Emmanuel Bourg)
[2019-07-17] tika 1.21-1 MIGRATED to testing (Debian testing watch)
[2019-07-11] Accepted tika 1.21-1 (source) into unstable (Emmanuel Bourg)
[2019-01-27] tika 1.20-1 MIGRATED to testing (Debian testing watch)
[2019-01-22] Accepted tika 1.20-1 (source) into unstable (Emmanuel Bourg)
[2019-01-19] Accepted tika 1.18-1 (source) into unstable (Emmanuel Bourg)
[2019-01-07] Accepted tika 1.8-1 (source) into unstable (Emmanuel Bourg)
[2017-01-14] tika REMOVED from testing (Debian testing watch)
[2016-12-29] tika 1.5-5 MIGRATED to testing (Debian testing watch)
[2016-10-04] Accepted tika 1.5-5 (source all) into unstable (Emmanuel Bourg)
[2016-07-12] tika REMOVED from testing (Debian testing watch)
[2015-12-12] tika 1.5-4 MIGRATED to testing (Debian testing watch)
[2015-12-06] Accepted tika 1.5-4 (source all) into unstable (Markus Koschany)
[2015-11-27] tika 1.5-3 MIGRATED to testing (Britney)
[2015-11-21] Accepted tika 1.5-3 (source all) into unstable (Markus Koschany)
[2015-05-31] Accepted tika 1.5-2 (source all) into unstable (Emmanuel Bourg)
[2014-09-22] tika 1.5-1 MIGRATED to testing (Britney)
[2014-09-17] Accepted tika 1.5-1 (source all) into unstable, unstable (Emmanuel Bourg) (signed by: tony mancill)

bugs [bug history graph]

all: 3
RC: 0
I&N: 3
M&W: 0
F&P: 0
patch: 1

links

homepage
lintian (1, 8)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.22-2