[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Triage of CVE-2020-9489/tika

Hi Utkarsh,

I will first your mail in full with the Git SHAs expanded to URIs of
the diffs themselves:

> The general dependency updates including some with security
> implications: https://github.com/apache/tika/commit/171f4343.diff
> 
> The fixes for the security items identified in that CVE
> https://github.com/apache/tika/commit/0f4d5de0.diff
> https://github.com/apache/tika/commit/73b26ef0.diff
> https://github.com/apache/tika/commit/e9b2c386.diff
> https://github.com/apache/tika/commit/8e2eb052.diff
> https://github.com/apache/tika/commit/57193f51.diff
> https://github.com/apache/tika/commit/f9607f97.diff
> https://github.com/apache/tika/commit/f7f1be6a.diff
> https://github.com/apache/tika/commit/333d9906.diff

I would definitely agree with your sentiment that this would be too
invasive to backport as a patch. However, before going for no-dsa
here, did you consider upgrading the entire package to a newer
version? (Is it even compatible? Is this critical enough of a package?
etc.)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-
Reply to: