tika: CVE-2018-8017

Debian Bug report logs - #914643
tika: CVE-2018-8017

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: tika: CVE-2018-8017

Date: Sun, 25 Nov 2018 21:54:06 +0100

Source: tika
Version: 1.5-5
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for tika.

CVE-2018-8017[0]:
| In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an
| infinite loop in the IptcAnpaParser.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-8017
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8017

Regards,
Salvatore

Message #8 received at 914643-submitter@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 914643-submitter@bugs.debian.org

Subject: Bug #914643 in tika marked as pending

Date: Tue, 22 Jan 2019 09:20:49 +0000

Control: tag -1 pending

Hello,

Bug #914643 in tika reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/tika/commit/baf6b4c8a28503cd8c3431519c19e03e72c09e78

------------------------------------------------------------------------
The new release fixes CVE-2018-8017 (Closes: #914643)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/914643

Message #15 received at 914643-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 914643-close@bugs.debian.org

Subject: Bug#914643: fixed in tika 1.20-1

Date: Tue, 22 Jan 2019 09:36:20 +0000

Source: tika
Source-Version: 1.20-1

We believe that the bug you reported is fixed in the latest version of
tika, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 914643@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated tika package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 22 Jan 2019 10:19:46 +0100
Source: tika
Binary: libtika-java
Architecture: source
Version: 1.20-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libtika-java - Apache Tika - content analysis toolkit
Closes: 914643
Changes:
 tika (1.20-1) unstable; urgency=medium
 .
   * New upstream release
     - Fixes CVE-2018-8017: Infinite loop in the IptcAnpaParser (Closes: #914643)
     - Refreshed the patches
     - New dependency on libgeronimo-annotation-1.3-spec-java
     - Depend on libapache-poi-java (>= 4.0)
     - New build dependency on libmaven-shade-plugin-java
Checksums-Sha1:
 1f54bb95614a92f4a99a5bbbbc44a571ee740642 2733 tika_1.20-1.dsc
 0d6d3de71527f2120128d5631abaf2ed93a7627e 2507360 tika_1.20.orig.tar.xz
 4eb3c76e81f0b17de3c2b74e56cc7eef456f21aa 7304 tika_1.20-1.debian.tar.xz
 89a4ca37a4c2ac2142f66538f1efe463e4c24397 16286 tika_1.20-1_source.buildinfo
Checksums-Sha256:
 562b064ae18187e97d830bd60b572834f2284fbc379a0f6dd3a4230557fff26d 2733 tika_1.20-1.dsc
 f845d42801bb6a1bed4206728127f37054f923e4ca93999bc1bd9b3c8efd49d0 2507360 tika_1.20.orig.tar.xz
 199808667eb2f73de656906da96bb0fc58a3c9b5670f1a0f19df45d6b0e345a3 7304 tika_1.20-1.debian.tar.xz
 5828d1fb8ed91d4e420b3164fe02d6840b2cbda67be481706c5cb90343992e24 16286 tika_1.20-1_source.buildinfo
Files:
 a01b1a235a41bb1d6931b5fdc634defa 2733 java optional tika_1.20-1.dsc
 c31731bf49473d574a244ccd0b9dd92a 2507360 java optional tika_1.20.orig.tar.xz
 73f43e860f9e62361e6bd67dd453c4f1 7304 java optional tika_1.20-1.debian.tar.xz
 2778c894b97da40252222ddfe9e52d95 16286 java optional tika_1.20-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlxG4GkSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsLB8QAKg0rDOs5u6kaArKCSFLi0cULdlWBu+S
LsUiU0iT7dci8XBbPFLy8MkMVMgKFnqsktlZ0mqFdW/KeqNi4Tu8uA2Zf7chdwuQ
e/Y37gu/+4omUiJZPnYXV+3qax8vr3MbbrC4B+EROMPTkegD0lbNXAUafEFnC3ex
gliCUXYXwS8Kn1oF2qHeihhO3wqWHu6P9u5D/AAdcbkr6/DOnk52RhW6iM0kcyML
3zwcEdaQWdg4+Xt6CPh4EcLj2zoinmm5PV1C9ek0A96wGS89BdLQy7Sb1gHbcpuE
Gcj7q8gkHMu/8Y2h4FHU8gXQmj6NSvlGAnooO8BRZBG06G8qkCxOFWmU6s4GyxkQ
RVaYzAiuTe3Rq37kS34TmeJCttDEl1lPFIZl3hkNJwP9SuytG2xVAN5PI3rW3kLt
/q/qGzY6AbGeoUHhSQb15oeGpI42G5FZF6/3IMXQ87QrqCFMICWeD9UKRr/4v5QX
OJzYPNDK1SE9UHHrqILBxYU7eH8cs205ERy48UjlUOMiUzaAuakySbHVEMpXe/6i
TKMXFgCfB2GkY2+d33CyiQB7D6kqTuMNWnZMt7/0858ME5qjVt2pIhvmFZKFT0dz
5eZnm+wpDzbO+ucCR5Duj+2nqLyd4fKDamrR9qjEhm5qzzAuEV3cIwza15WmuuGm
4LhYRG4RIJmb
=b2dA
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.