Bug 18557

Summary: tika new security issue CVE-2016-4434 and CVE-2016-6809
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, mhrambo3501
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://security-tracker.debian.org/tracker/CVE-2016-4434
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1340387
Whiteboard:
Source RPM: tika-1.11-2.mga6.src.rpm CVE: CVE-2016-4434
Status comment: Fixed upstream in 1.17, could be dropped if disabled in dependent packages
Bug Depends on: 22954    
Bug Blocks:    

Description David Walser 2016-05-27 14:36:21 CEST 
Upstream has issued an advisory on May 26:
http://www.openwall.com/lists/oss-security/2016/05/26/4

The issue is fixed in Tika 1.13.

Mageia 5 is also affected.
David Walser 2016-05-27 14:36:52 CEST

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA5TOO

David Walser 2016-07-06 19:49:08 CEST

Assignee: neoclust => mageia

Nicolas Lécureuil 2017-04-22 21:54:24 CEST

CVE: (none) => CVE-2016-4434
URL: (none) => https://security-tracker.debian.org/tracker/CVE-2016-4434

Nicolas Lécureuil 2017-05-15 23:57:12 CEST

See Also: (none) => https://bugzilla.redhat.com/show_bug.cgi?id=1340387

Comment 1 David Walser 2017-06-04 17:20:33 CEST 
I see that tika can be disabled in vorbis-java easily (it's already built in to the spec) and could probably be disabled similarly in hibernate-search.  It's listed as a BR for eclipse-mylyn, but might not actually be needed.  We could possibly remove tika then.
David Walser 2017-06-05 01:37:47 CEST

Status comment: (none) => Fixed upstream in 1.13, could be dropped if disabled in dependent packages

David Walser 2017-07-07 04:22:56 CEST

Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO

Comment 2 David Walser 2017-12-27 00:58:42 CET 
We should still look into dropping this.  We won't be fixing this for Mageia 5.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

Comment 3 David Walser 2018-04-28 12:06:26 CEST 
Fedora has issued an advisory on April 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6NMECZJ3R6E6ZE5LT6KMROT7DDDMTYXP/

It fixes this and an additional issue by updating to 1.17.

Summary: tika new security issue CVE-2016-4434 => tika new security issue CVE-2016-4434 and CVE-2016-6809
Status comment: Fixed upstream in 1.13, could be dropped if disabled in dependent packages => Fixed upstream in 1.17, could be dropped if disabled in dependent packages

David Walser 2018-09-19 23:20:11 CEST

Depends on: (none) => 22954

Comment 4 David Walser 2019-01-01 04:55:16 CET 
tika-1.17-1.mga7 uploaded for Cauldron by David Geiger, so at least these issues are fixed (newer ones still aren't, and it could still be dropped).

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 5 Mike Rambo 2019-11-06 13:11:45 CET 
Mageia 6 is EOL.

Status: NEW => RESOLVED
CC: (none) => mrambo
Resolution: (none) => OLD