Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

is there a release that uses MetadataExtractorVersion 2.12.0 or higher? #187

Closed
philipjss opened this issue Feb 19, 2020 · 7 comments
Closed

is there a release that uses MetadataExtractorVersion 2.12.0 or higher? #187

philipjss opened this issue Feb 19, 2020 · 7 comments

Comments

@philipjss
Copy link
Contributor

Hello,

I work on a project that uses what seems to be the latest release of scrimage-core, i.e. 3.0.0-alpha4, dated 14 Sep 2017. The latter uses com.drewnoakes:metadata-extractor:2.10.1, which suffers from the following whitesource security vulnerability:

mchernolevskyi/photoTrivia#46
https://nvd.nist.gov/vuln/detail/CVE-2019-14262#VulnChangeHistorySection

I see that in the following commit in Nov 2019 you upgraded to version 2.12.0 of metadata-extractor:

84f4d47#diff-215113124f1de02f228327ba7abb45f7

I think that the new version of metadata-extractor fixes the vulnerability (drewnoakes/metadata-extractor-dotnet#190 (comment)).

The issue I have is that I cannot find any scrimage-core releases incorporating the commit that upgrades the version of metadata-extractor. If I look in https://mvnrepository.com/artifact/com.sksamuel.scrimage/scrimage-core I see that the latest release of scrimage is 3.0.0-alpha4, dated Sep, 2017. If I look at the scrimage releases tab in github I also see the latest is 3.0.0-alpha4, dated Sep, 2017.

Have you published new versions of scrimage-core since 3.0.0-alpha4? If not, would you kindly consider publishing one?

Thank you in advance for your help.

Philip Schwarz.
@philipjss philipjss changed the title is there a release that uses MetadataExtractorVersion 2.12.0? is there a release that uses MetadataExtractorVersion 2.12.0 or higher? Feb 19, 2020
@drewnoakes
Copy link

The fix is in 2.13.0.

https://github.com/drewnoakes/metadata-extractor/releases/tag/2.13.0

@philipjss
Copy link
Contributor Author

@drewnoakes thank you very much for that info.

@philipjss philipjss mentioned this issue Feb 20, 2020
Merged
@sksamuel
Copy link
Owner

I've merged this and am working to get a 3.0 beta1 release this weekend or shortly after.

@philipjss
Copy link
Contributor Author

@sksamuel great news! thanks for the quick response.

Is the new release going to be called 3.0 beta1? Just checking because here I see a 4.0.0-BETA1 and the README now says "This readme is for the 4.0.0 pre-release"

@sksamuel
Copy link
Owner

I have released 4.0.0-BETA1. I have bumped the versions from 3 to 4 because (even though 3 was never fully released) 4 has changed internally from Scala to Java with some slight public API tweaks. The end use case should be almost identical though. Image is now ImmutableImage but all the methods stay the same. You should only need to bump your version and make minor changes.

@sksamuel
Copy link
Owner

I've released 4.0.0 final now after using the 4.0 beta successfully

@philipjss
Copy link
Contributor Author

@sksamuel great - thanks for that!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@drewnoakes @sksamuel @philipjss