|
|
Subscribe / Log in / New account

Debian alert DLA-4350-1 (tika)



From:
              Paride Legovini <paride@debian.org>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 4350-1] tika security update


Date:
              Sun, 26 Oct 2025 20:59:15 +0100


Message-ID:
              <023555ee55fdcdd69168279c7837ca8f@debian.org>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4350-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Paride Legovini
October 26, 2025                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : tika
Version        : 1.22-2+deb11u1
CVE ID         : CVE-2025-54988

A vulnerability has been fixed in the tika package, which distributes the
Apache Tika content analysis toolkit. The vulnerability affects the
tika-parser-pdf-module component and allows an attacker to carry out XML
External Entity injection via a crafted XFA file inside of a PDF. An attacker
may be able to read sensitive data or trigger malicious requests to internal
resources or third-party servers.

For Debian 11 bullseye, this problem has been fixed in version
1.22-2+deb11u1.

We recommend that you upgrade your tika packages.

For the detailed security status of tika please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tika

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

wsC7BAEBCgBvBYJo/n2ICRDWWGGIPgFNuUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmfserZRFY3Yqkxr+u2Rl3XNXyUdPHVLKcIjOQgh4Nzd
QRYhBFYa1YXu12aSG6jdltZYYYg+AU25AABvLwgAhCR9aYF8YvM3WL6JpksC73Ef
vtfLpzWgoHWUOIrzk+cBtIYYoHxwgTXiEB25PBZIUrnn7OVoP6Pxb2darNOGv9/5
onRbNpg3vLS/4DX45pP1Fu8OQFYKpAUocagvL5V8kP4R0KR8hMUQuOfxXErkbg3B
RmwXUdZjp+qnqqxGADbBRmSE8HMZgNoaKWD6pG10QG0cbzWGWSHsZB/wTyQDMNqu
0Ln3BPu5XkK/+1L2M/TJB9OluztSJlFDj4/JoFfQYyEN/zzATaSfr8hQERUf99xb
0qxybKm2m1fN03Ls7oGrdQlI7QC3bgWvPAt8spI5iz/dgDyaKRzLcgdQr9WIZw==
=P1/g
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds