Bugzilla – Bug 1184892
VUL-0: CVE-2021-28657: tika-core: Infinite loop in MP3Parser
Last modified: 2024-05-13 11:35:04 UTC
CVE-2021-28657 A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later. References: https://bugzilla.redhat.com/show_bug.cgi?id=1944881 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28657 http://seclists.org/oss-sec/2021/q1/277 https://access.redhat.com/security/cve/CVE-2021-28657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28657 https://lists.apache.org/thread.html/r915add4aa52c60d1b5cf085039cfa73a98d7fae9673374dfd7744b5a%40%3Cdev.tika.apache.org%3E
Tracked SUMA 4.0 and 4.1 based on the version as affected.
Reassigning to our Round Robing Bug Guy (Jochen). One of the Java developer should take care, so I guess Orion or Hexagon squads.
Setting this to P2 until we know more. Seems like this is a dependency of nutch, which is used for search in SUMA/Uyuni.
Hi Alexandros, As this package is suse-manager only and the issue is only in MP3Parser where suse-manager is making no use of this code path and there is very little probability that it will in the future either, would you be ok reducing the priority of this issue?
(In reply to Abid Mehmood from comment #5) > Hi Alexandros, > > As this package is suse-manager only and the issue is only in MP3Parser > where suse-manager is making no use of this code path and there is very > little probability that it will in the future either, would you be ok > reducing the priority of this issue? Done
SUSE-RU-2021:2099-1: An update that has 38 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1151558,1172711,1175216,1178767,1180673,1180994,1182744,1182954,1183573,1183649,1183845,1183864,1184005,1184286,1184311,1184332,1184351,1184361,1184471,1184475,1184561,1184617,1184849,1184892,1184929,1184940,1185042,1185097,1185281,1185506,1185568,1185965,1186025,1186124,1186346,1186508,1186765,1186858 CVE References: JIRA References: Sources used: SUSE Manager Server 4.1 (src): release-notes-susemanager-4.1.8.1-3.52.1 SUSE Manager Retail Branch Server 4.1 (src): release-notes-susemanager-proxy-4.1.8-3.35.1 SUSE Manager Proxy 4.1 (src): release-notes-susemanager-proxy-4.1.8-3.35.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2098-1: An update that solves two vulnerabilities and has 35 fixes is now available. Category: security (moderate) Bug References: 1151558,1172711,1175216,1178767,1180673,1182744,1183573,1183649,1183845,1183864,1184005,1184286,1184311,1184332,1184351,1184361,1184471,1184475,1184561,1184617,1184849,1184892,1184929,1184940,1185042,1185097,1185281,1185506,1185568,1185965,1186025,1186124,1186346,1186508,1186765,1186852,1186858 CVE References: CVE-2021-28657,CVE-2021-31607 JIRA References: Sources used: SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src): cobbler-3.0.0+git20190806.32c4bae0-5.11.1, golang-github-prometheus-node_exporter-1.1.2-3.6.5, grafana-formula-0.4.1-3.9.2, patterns-suse-manager-4.1-6.9.2, prometheus-exporters-formula-0.9.1-3.22.1, py26-compat-salt-2016.11.10-6.14.2, py27-compat-salt-3000.3-6.3.2, spacewalk-admin-4.1.9-3.12.2, spacewalk-backend-4.1.25-4.32.6, spacewalk-branding-4.1.12-3.12.2, spacewalk-certs-tools-4.1.17-3.17.2, spacewalk-java-4.1.36-3.44.1, spacewalk-utils-4.1.16-3.18.2, spacewalk-web-4.1.26-3.24.8, susemanager-4.1.26-3.25.1, susemanager-build-keys-15.2.4-3.17.1, susemanager-doc-indexes-4.1-11.34.8, susemanager-docs_en-4.1-11.34.2, susemanager-schema-4.1.21-3.30.6, susemanager-sls-4.1.28-3.42.1, susemanager-sync-data-4.1.14-3.23.2, tika-core-1.26-3.5.2, uyuni-common-libs-4.1.8-3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2021:2115-1: An update that has 19 recommended fixes can now be installed. Category: recommended (important) Bug References: 1172711,1182817,1184005,1184283,1184311,1184332,1184361,1184471,1184475,1184561,1184617,1184861,1184892,1185097,1185281,1185506,1186124,1186346,1186508 CVE References: JIRA References: Sources used: SUSE Manager Server 4.0 (src): release-notes-susemanager-4.0.14-3.74.1 SUSE Manager Retail Branch Server 4.0 (src): release-notes-susemanager-proxy-4.0.14-0.16.58.1 SUSE Manager Proxy 4.0 (src): release-notes-susemanager-proxy-4.0.14-0.16.58.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2114-1: An update that solves two vulnerabilities and has 17 fixes is now available. Category: security (moderate) Bug References: 1172711,1182817,1184005,1184283,1184311,1184332,1184361,1184471,1184475,1184561,1184617,1184861,1184892,1185097,1185281,1185506,1186124,1186346,1186508 CVE References: CVE-2021-28657,CVE-2021-31607 JIRA References: Sources used: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (src): cobbler-3.0.0+git20190806.32c4bae0-7.22.3, grafana-formula-0.2.3-4.16.3, patterns-suse-manager-4.0-9.19.3, prometheus-exporters-formula-0.7.6-3.19.3, pxe-default-image-sle15-4.0.1-20210621145802, py26-compat-salt-2016.11.10-10.28.3, py27-compat-salt-3000.3-4.3.3, spacewalk-backend-4.0.38-3.47.4, spacewalk-java-4.0.44-3.57.5, spacewalk-utils-4.0.21-3.30.3, spacewalk-web-4.0.28-3.45.1, susemanager-4.0.34-3.52.3, susemanager-doc-indexes-4.0-10.36.4, susemanager-docs_en-4.0-10.36.3, susemanager-sls-4.0.35-3.48.3, tika-core-1.26-3.6.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.