On Thu, Jan 11, 2018 at 02:03:23PM +0200, Faidon Liambotis wrote: > On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote: > > please see http://seclists.org/oss-sec/2016/q2/413 for details. > > That link says: > Versions Affected: > Apache Tika 0.10 to 1.12 > > So perhaps 1.5 isn't affected after all? I tried to find the relevant > commit in the upstream git but failed :(
Commit https://github.com/apache/tika/commit/f444fd784b99b181cd7bd54cdec9fbd132b4ef93 in 1.17 added a test case, so this might be related to changes in Xerces/J which are possibly bundled by Tika downloads? Might be worth clarifying with Tim Allison <talli...@apache.org>. Cheers, Moritz
