tika - Debian Package Tracker

general

source: tika (main)
version: 1.22-2
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Emmanuel Bourg [DMD]
arch: all
std-ver: 4.4.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1.20-1
stable: 1.22-2
testing: 1.22-2
unstable: 1.22-2

versioned links

1.20-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.22-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libtika-java

action needed

Marked for autoremoval on 30 June due to nvidia-graphics-drivers-tesla-470: #1011146 high

Version 1.22-2 of tika is marked for autoremoval from testing on Thu 30 Jun 2022. It depends (transitively) on nvidia-graphics-drivers-tesla-470, affected by #1011146. You should try to prevent the removal by fixing these RC bugs.

Created: 2022-05-24 Last update: 2022-05-25 10:16

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

In debian/watch no matching files for watch line
  https://github.com/apache/tika/tags .*/archive/([\d\.]+).tar.gz

Created: 2021-03-22 Last update: 2022-05-25 06:58

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2020-9489: A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
CVE-2021-28657: A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.
CVE-2022-25169: The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.
CVE-2022-30126: In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0

Created: 2021-02-19 Last update: 2022-05-18 04:30

9 security issues in buster high

There are 9 open security issues in buster.

2 important issues:

CVE-2022-25169: The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.
CVE-2022-30126: In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0

7 issues left for the package maintainer to handle:

CVE-2020-1950: (needs triaging) A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23.
CVE-2020-1951: (needs triaging) A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23.
CVE-2020-9489: (needs triaging) A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
CVE-2019-10088: (needs triaging) A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.
CVE-2019-10093: (needs triaging) In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.
CVE-2019-10094: (needs triaging) A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.
CVE-2021-28657: (needs triaging) A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2022-05-18 04:30

4 security issues in bullseye high

There are 4 open security issues in bullseye.

2 important issues:

CVE-2022-25169: The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.
CVE-2022-30126: In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0

2 issues left for the package maintainer to handle:

CVE-2020-9489: (needs triaging) A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
CVE-2021-28657: (needs triaging) A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-08-14 Last update: 2022-05-18 04:30

4 security issues in bookworm high

There are 4 open security issues in bookworm.

4 important issues:

CVE-2020-9489: A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
CVE-2021-28657: A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.
CVE-2022-25169: The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.
CVE-2022-30126: In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0

Created: 2021-08-15 Last update: 2022-05-18 04:30

lintian reports 1 error and 8 warnings high

Lintian reports 1 error and 8 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-04-11 Last update: 2021-04-11 10:20

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2021-08-14 Last update: 2022-05-25 10:03

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.22-3, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 13469f2c4eef5bfcccf8bc161f0bf3b3e7300ee9
Author: tony mancill <tmancill@debian.org>
Date:   Wed Apr 14 07:49:36 2021 -0700

    interim changelog

commit 9547e56a03f15beed21b9481e5b71362e949b20b
Author: tony mancill <tmancill@debian.org>
Date:   Wed Apr 14 07:49:12 2021 -0700

    Update debian/watch for new upstream tag layout

Created: 2021-04-14 Last update: 2022-05-24 08:35

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.4.0).

Created: 2019-09-29 Last update: 2022-05-11 23:24

news

[rss feed]

[2021-02-07] tika 1.22-2 MIGRATED to testing (Debian testing watch)
[2021-02-02] Accepted tika 1.22-2 (source) into unstable (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2020-05-04] tika REMOVED from testing (Debian testing watch)
[2020-03-28] Accepted tika 1.5-1+deb8u1 (source all) into oldoldstable (Anton Gladky)
[2019-08-10] tika 1.22-1 MIGRATED to testing (Debian testing watch)
[2019-08-05] Accepted tika 1.22-1 (source) into unstable (Emmanuel Bourg)
[2019-07-17] tika 1.21-1 MIGRATED to testing (Debian testing watch)
[2019-07-11] Accepted tika 1.21-1 (source) into unstable (Emmanuel Bourg)
[2019-01-27] tika 1.20-1 MIGRATED to testing (Debian testing watch)
[2019-01-22] Accepted tika 1.20-1 (source) into unstable (Emmanuel Bourg)
[2019-01-19] Accepted tika 1.18-1 (source) into unstable (Emmanuel Bourg)
[2019-01-07] Accepted tika 1.8-1 (source) into unstable (Emmanuel Bourg)
[2017-01-14] tika REMOVED from testing (Debian testing watch)
[2016-12-29] tika 1.5-5 MIGRATED to testing (Debian testing watch)
[2016-10-04] Accepted tika 1.5-5 (source all) into unstable (Emmanuel Bourg)
[2016-07-12] tika REMOVED from testing (Debian testing watch)
[2015-12-12] tika 1.5-4 MIGRATED to testing (Debian testing watch)
[2015-12-06] Accepted tika 1.5-4 (source all) into unstable (Markus Koschany)
[2015-11-27] tika 1.5-3 MIGRATED to testing (Britney)
[2015-11-21] Accepted tika 1.5-3 (source all) into unstable (Markus Koschany)
[2015-05-31] Accepted tika 1.5-2 (source all) into unstable (Emmanuel Bourg)
[2014-09-22] tika 1.5-1 MIGRATED to testing (Britney)
[2014-09-17] Accepted tika 1.5-1 (source all) into unstable, unstable (Emmanuel Bourg) (signed by: tony mancill)

bugs [bug history graph]

all: 4
RC: 1
I&N: 3
M&W: 0
F&P: 0
patch: 1

links

homepage
lintian (1, 8)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.22-2