Upstream has issued an advisory on May 26: http://www.openwall.com/lists/oss-security/2016/05/26/4 The issue is fixed in Tika 1.13. Mageia 5 is also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA5TOO
Assignee: neoclust => mageia
CVE: (none) => CVE-2016-4434URL: (none) => https://security-tracker.debian.org/tracker/CVE-2016-4434
See Also: (none) => https://bugzilla.redhat.com/show_bug.cgi?id=1340387
I see that tika can be disabled in vorbis-java easily (it's already built in to the spec) and could probably be disabled similarly in hibernate-search. It's listed as a BR for eclipse-mylyn, but might not actually be needed. We could possibly remove tika then.
Status comment: (none) => Fixed upstream in 1.13, could be dropped if disabled in dependent packages
Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO
We should still look into dropping this. We won't be fixing this for Mageia 5.
Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO
Fedora has issued an advisory on April 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6NMECZJ3R6E6ZE5LT6KMROT7DDDMTYXP/ It fixes this and an additional issue by updating to 1.17.
Summary: tika new security issue CVE-2016-4434 => tika new security issue CVE-2016-4434 and CVE-2016-6809Status comment: Fixed upstream in 1.13, could be dropped if disabled in dependent packages => Fixed upstream in 1.17, could be dropped if disabled in dependent packages
Depends on: (none) => 22954
tika-1.17-1.mga7 uploaded for Cauldron by David Geiger, so at least these issues are fixed (newer ones still aren't, and it could still be dropped).
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Mageia 6 is EOL.
Status: NEW => RESOLVEDCC: (none) => mramboResolution: (none) => OLD