tika - Debian Package Tracker

general

source: tika (main)
version: 1.22-2
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Emmanuel Bourg [DMD]
arch: all
std-ver: 4.4.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.20-1
oldstable: 1.22-2
unstable: 1.22-2

versioned links

1.20-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.22-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libtika-java

action needed

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

In debian/watch no matching files for watch line
  https://github.com/apache/tika/tags .*/archive/([\d\.]+).tar.gz

Created: 2021-03-22 Last update: 2023-10-03 08:06

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2020-9489: A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
CVE-2021-28657: A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.
CVE-2022-25169: The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.
CVE-2022-30126: In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0
CVE-2022-33879: The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.

Created: 2022-07-04 Last update: 2023-06-10 13:34

lintian reports 8 warnings high

Lintian reports 8 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-04-11 Last update: 2022-07-30 12:17

5 security issues in bookworm high

There are 5 open security issues in bookworm.

5 important issues:

CVE-2020-9489: A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
CVE-2021-28657: A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.
CVE-2022-25169: The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.
CVE-2022-30126: In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0
CVE-2022-33879: The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.

Created: 2022-07-04 Last update: 2022-07-04 06:05

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2022-07-07 Last update: 2023-10-03 07:38

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2023-09-13 Last update: 2023-10-03 07:35

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.22-3, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 13469f2c4eef5bfcccf8bc161f0bf3b3e7300ee9
Author: tony mancill <tmancill@debian.org>
Date:   Wed Apr 14 07:49:36 2021 -0700

    interim changelog

commit 9547e56a03f15beed21b9481e5b71362e949b20b
Author: tony mancill <tmancill@debian.org>
Date:   Wed Apr 14 07:49:12 2021 -0700

    Update debian/watch for new upstream tag layout

Created: 2021-04-14 Last update: 2023-09-29 02:30

5 low-priority security issues in bullseye low

There are 5 open security issues in bullseye.

5 issues left for the package maintainer to handle:

CVE-2020-9489: (needs triaging) A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
CVE-2021-28657: (needs triaging) A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.
CVE-2022-25169: (needs triaging) The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.
CVE-2022-30126: (needs triaging) In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0
CVE-2022-33879: (needs triaging) The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2023-06-10 13:34

debian/patches: 3 patches to forward upstream low

Among the 8 debian patches available in version 1.22-2 of the package, we noticed the following issues:

3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-02-26 15:54

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.4.0).

Created: 2019-09-29 Last update: 2022-12-17 19:17

testing migrations

excuses:
- Migrates after: vorbis-java
- Migration status for tika (- to 1.22-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating tika would introduce bugs in testing: #1011492
- ∙ ∙ Build-Depends(-Arch): tika vorbis-java
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/t/tika.html
- ∙ ∙ 973 days old (needed 5 days)
- Not considered

news

[rss feed]

[2022-07-08] tika REMOVED from testing (Debian testing watch)
[2021-02-07] tika 1.22-2 MIGRATED to testing (Debian testing watch)
[2021-02-02] Accepted tika 1.22-2 (source) into unstable (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2020-05-04] tika REMOVED from testing (Debian testing watch)
[2020-03-28] Accepted tika 1.5-1+deb8u1 (source all) into oldoldstable (Anton Gladky)
[2019-08-10] tika 1.22-1 MIGRATED to testing (Debian testing watch)
[2019-08-05] Accepted tika 1.22-1 (source) into unstable (Emmanuel Bourg)
[2019-07-17] tika 1.21-1 MIGRATED to testing (Debian testing watch)
[2019-07-11] Accepted tika 1.21-1 (source) into unstable (Emmanuel Bourg)
[2019-01-27] tika 1.20-1 MIGRATED to testing (Debian testing watch)
[2019-01-22] Accepted tika 1.20-1 (source) into unstable (Emmanuel Bourg)
[2019-01-19] Accepted tika 1.18-1 (source) into unstable (Emmanuel Bourg)
[2019-01-07] Accepted tika 1.8-1 (source) into unstable (Emmanuel Bourg)
[2017-01-14] tika REMOVED from testing (Debian testing watch)
[2016-12-29] tika 1.5-5 MIGRATED to testing (Debian testing watch)
[2016-10-04] Accepted tika 1.5-5 (source all) into unstable (Emmanuel Bourg)
[2016-07-12] tika REMOVED from testing (Debian testing watch)
[2015-12-12] tika 1.5-4 MIGRATED to testing (Debian testing watch)
[2015-12-06] Accepted tika 1.5-4 (source all) into unstable (Markus Koschany)
[2015-11-27] tika 1.5-3 MIGRATED to testing (Britney)
[2015-11-21] Accepted tika 1.5-3 (source all) into unstable (Markus Koschany)
[2015-05-31] Accepted tika 1.5-2 (source all) into unstable (Emmanuel Bourg)
[2014-09-22] tika 1.5-1 MIGRATED to testing (Britney)
[2014-09-17] Accepted tika 1.5-1 (source all) into unstable, unstable (Emmanuel Bourg) (signed by: tony mancill)

bugs [bug history graph]

all: 5
RC: 1
I&N: 4
M&W: 0
F&P: 0
patch: 1

links

homepage
lintian (0, 8)
buildd: logs
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.22-2