Release 1.22 Tika server to dockerhub

Question

Release 1.22 Tika server to dockerhub

chibenwa opened this issue 5 years ago · comments

Benoit TELLIER commented 5 years ago

I saw several vulnerabilities affecting the currently shipped version of Tika, all of them resolved in 1.22 version.

Namely:

[CVE-2019-10088] OOM from a crafted Zip File in Apache Tika's RecursiveParserWrapper
[CVE-2019-10093] Denial of Service in Apache Tika's 2003ml and 2006ml Parsers
[CVE-2019-10094] StackOverflow from Crafted Package/Compressed Files in Apache Tika's RecursiveParserWrapper

When do you think the docker image will be available on dockerhub?

Eric Pugh · Answer 1 · Wed Oct 09 2019 00:27:43 GMT+0800 (China Standard Time)

I believe this issue can be closed, as the latest Tika 1.22 is deployed:

https://hub.docker.com/layers/logicalspark/docker-tikaserver/latest/images/sha256-11dcbecfd5ee393edb5094c2d84650c063b9096916492e5ac06ab71d0cb4aae1

Benoit TELLIER · Answer 2 · Wed Oct 09 2019 08:54:30 GMT+0800 (China Standard Time)

Well, not really.

I don't want to rfly on a latest image thus I would like the 1.22 tag to be explicit.

Eric Pugh · Answer 3 · Wed Oct 09 2019 20:27:24 GMT+0800 (China Standard Time)

True! This is probably why publishing a Docker image should probably be part of the release process of the Apache Tika project. Though I do appreciate all the effort LogicalSpark has done in providing these images!

…

On Oct 8, 2019, at 8:54 PM, Tellier Benoit ***@***.***> wrote: Well, not really. I don't want to rfly on a latest image thus I would like the 1.22 tag to be explicit. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#21?email_source=notifications&email_token=AAAFO6YBQTWO4TSAD5VF5FLQNUTUNA5CNFSM4IK6IRQKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEAWDNZA#issuecomment-539768548>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAFO63RX4D5UXNMR52355LQNUTUNANCNFSM4IK6IRQA>.

_______________________ Eric Pugh | Founder & CEO | OpenSource Connections, LLC | 434.466.1467 | http://www.opensourceconnections.com <http://www.opensourceconnections.com/> | My Free/Busy <http://tinyurl.com/eric-cal> Co-Author: Apache Solr Enterprise Search Server, 3rd Ed <https://www.packtpub.com/big-data-and-business-intelligence/apache-solr-enterprise-search-server-third-edition-raw> This e-mail and all contents, including attachments, is considered to be Company Confidential unless explicitly stated otherwise, regardless of whether attachments are marked as such.

Vegard Stikbakke · Answer 4 · Wed Nov 20 2019 15:44:16 GMT+0800 (China Standard Time)

+1 on this. Any way I can help? Also tagging @dameikle

Matthias Pigulla · Answer 5 · Thu Jan 09 2020 03:56:16 GMT+0800 (China Standard Time)

@dameikle would it help if we try to come up with a GitHub Action that could build the image and push it to the Docker hub whenever a release is tagged in this repo?

David Meikle · Answer 6 · Thu Jan 09 2020 05:58:02 GMT+0800 (China Standard Time)

Hi Folks. Sorry I've been silent on this for a while, its been a busy time offline. I agree with you @epugh it would be good to do this from the official Apache Tika project, and retire this altogether. Let me take a look at the PR @mpdude has kindly provided and see if we can incorporate some of this into an official Tika one. I can do a parallel inclusion here and there until ready to retire this.

Benoit TELLIER · Answer 7 · Thu Jan 09 2020 10:20:36 GMT+0800 (China Standard Time)

As far as I am aware of a docker container ships non apacheV2 license content thus having already built container as a delivery of an Apache project is controversial, and they were ongoing discussion on this topic at ApacheCon Berlin. (However shipping a dockerfile is fine).

David Meikle · Answer 8 · Thu Jan 09 2020 10:50:11 GMT+0800 (China Standard Time)

It's similar in concept to a convenience binary build, it needs to be called out explicitly and made clear that it is not the official distribution (that is always the source). You'll see a few projects using this approach now with the blessing of INFRA.

I've started a repos here:
https://github.com/apache/tika-docker

Requested Travis-CI build and DockerHub access, so hopefully can wire this to make an image publish part of the release ceremony.

Will port some of the improvements back here, and acknowledge those who provided PRs over there once I complete the README.

Matthias Pigulla · Answer 9 · Thu Jan 09 2020 14:04:57 GMT+0800 (China Standard Time)

Let us know if we can help

David Meikle · Answer 10 · Mon Feb 03 2020 19:21:07 GMT+0800 (China Standard Time)

As mentioned elsewhere, I've started the work to move this over to the ASF (I'm a Tika PMC member).

It's starting to take shape, with historical images published here:
https://hub.docker.com/r/apache/tika

Got some more tweaks to do to update the Git repos and then will start pointing users from this repos there.

Eric Pugh · Answer 11 · Mon Feb 03 2020 22:06:16 GMT+0800 (China Standard Time)

Thanks Dave!

…

On Mon, Feb 3, 2020 at 6:21 AM Dave Meikle ***@***.***> wrote: As mentioned elsewhere, I've started the work to move this over to the ASF (I'm a Tika PMC member). It's starting to take shape, with historical images published here: https://hub.docker.com/r/apache/tika Got some more tweaks to do to update the Git repos and then will start pointing users from this repos there. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#21?email_source=notifications&email_token=AAAFO63YZ4N6JX7PKIIHIZ3RA742HA5CNFSM4IK6IRQKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKTO2MY#issuecomment-581365043>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAFO627PZQN35RTJ4IDK53RA742HANCNFSM4IK6IRQA> .