Was: "SECURITY NOTICE: Critical vulnerability…" and patch
17 views
Skip to first unread message
Michael Plate
Jan 15, 2026, 11:53:28 AM (21 hours ago) Jan 15
to dspac...@googlegroups.com
Hi,
following
https://github.com/DSpace/DSpace/issues/11678
I have applied the patch for our DSpace 8.0 Test System.
The patch did not apply ootb, mostly stuff inside the pom.xml (patch did
not find the matching text), manually corrected it and it compiled and
installed.
However, running "filter-media-p "Text Extractor" -v -f"
on the repo failed on a xlsx file with something like
java.lang.NoSuchMethodError:
'org.apache.commons.io.input.BoundedInputStream$Builder
org.apache.commons.io.input.BoundedInputStream.builder()
[…]
I did some research and ended up editing the pom.xml again, changing
some Apache commons stuff to the versions from the latest 8.x release:
old:
[…]
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.15.1</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.14.0</version>
</dependency>
[…]
new:
[…]
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.21.0</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.20.0</version>
</dependency>
[…]
compiled, installed and filter-media worked.
My problem is presumably having side-effects I don't know. So I'm asking
for some comments on that way, or if anyone else made the same experience ?
Michael
following
https://github.com/DSpace/DSpace/issues/11678
I have applied the patch for our DSpace 8.0 Test System.
The patch did not apply ootb, mostly stuff inside the pom.xml (patch did
not find the matching text), manually corrected it and it compiled and
installed.
However, running "filter-media-p "Text Extractor" -v -f"
on the repo failed on a xlsx file with something like
java.lang.NoSuchMethodError:
'org.apache.commons.io.input.BoundedInputStream$Builder
org.apache.commons.io.input.BoundedInputStream.builder()
[…]
I did some research and ended up editing the pom.xml again, changing
some Apache commons stuff to the versions from the latest 8.x release:
old:
[…]
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.15.1</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.14.0</version>
</dependency>
[…]
new:
[…]
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.21.0</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.20.0</version>
</dependency>
[…]
compiled, installed and filter-media worked.
My problem is presumably having side-effects I don't know. So I'm asking
for some comments on that way, or if anyone else made the same experience ?
Michael
DSpace Technical Support
Jan 15, 2026, 3:32:20 PM (17 hours ago) Jan 15
to DSpace Technical Support
Hi Michael,
Good catch. I think you are correct that the commons-io and commons-lang3 may need to be updated if you try to perform a manual patch. We didn't realize that the latest versions of PDFBox and Tika depend on changes that are specific to those latest versions of commons-io and commons-lang3.
I suspect others may have just upgraded directly to 7.6.6, 8.3 or 9.2, which is why we hadn't caught this mistake in the patch instructions sooner.
In any case, I've updated the issue ticket with these details: https://github.com/DSpace/DSpace/issues/11678
Good catch. I think you are correct that the commons-io and commons-lang3 may need to be updated if you try to perform a manual patch. We didn't realize that the latest versions of PDFBox and Tika depend on changes that are specific to those latest versions of commons-io and commons-lang3.
I suspect others may have just upgraded directly to 7.6.6, 8.3 or 9.2, which is why we hadn't caught this mistake in the patch instructions sooner.
In any case, I've updated the issue ticket with these details: https://github.com/DSpace/DSpace/issues/11678
Tim
Reply all
Reply to author
Forward
0 new messages