Date: Fri, 24 Apr 2020 12:19:48 -0400 From: Tim Allison <tallison@...che.org> To: announce@...che.org, "<dev@...a.apache.org>" <dev@...a.apache.org>, user@...a.apache.org, Apache Security Team <security@...che.org>, oss-security@...ts.openwall.com Subject: [CVE-2020-9489] Denial of Service (DOS) Vulnerabilities in Some of Apache Tika's Parsers Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Tika 1.24 Description: A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Mitigation: Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:126.96.36.199. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release. We also upgraded openjson to 1.0.10, org.ow2.asm to 8.0.1, zstd-jni to 1.4.4-9, bouncycastle to 1.65, commons-lang3 to 3.10, lucene to 8.5.0 and mockito to 3.3.3 as part of the 1.24.1 release. Credit: These vulnerabilities were discovered by Tim Allison on the Apache Tika team.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.