Debian Bug report logs -
#1015002
tika: CVE-2022-25169 CVE-2022-30126 CVE-2022-33879
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1015002; Package src:tika.
(Fri, 15 Jul 2022 22:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 15 Jul 2022 22:39:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tika
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for tika.
Like all Apache software, their disclosure process is a mess, so we'll
need to reach out to upstream for commits/more detailed information...
CVE-2022-25169[0]:
| The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may
| allocate an unreasonable amount of memory on carefully crafted files.
https://www.openwall.com/lists/oss-security/2022/05/16/4
CVE-2022-30126[1]:
| In Apache Tika, a regular expression in our StandardsText class, used
| by the StandardsExtractingContentHandler could lead to a denial of
| service caused by backtracking on a specially crafted file. This only
| affects users who are running the StandardsExtractingContentHandler,
| which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0
https://www.openwall.com/lists/oss-security/2022/05/16/3
CVE-2022-33879[2]:
| The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in
| the StandardsExtractingContentHandler were insufficient, and we found
| a separate, new regex DoS in a different regex in the
| StandardsExtractingContentHandler. These are now fixed in 1.28.4 and
| 2.4.1.
https://www.openwall.com/lists/oss-security/2022/06/27/5
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-25169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25169
[1] https://security-tracker.debian.org/tracker/CVE-2022-30126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30126
[2] https://security-tracker.debian.org/tracker/CVE-2022-33879
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33879
Please adjust the affected versions in the BTS as needed.
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 16 13:16:36 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon