From a8307f861888c5c84e8fc35071fdee1bb0cfbd9c Mon Sep 17 00:00:00 2001
From: Rene Pfeuffer <rene.pfeuffer@cloudogu.com>
Date: Mon, 12 Jan 2026 09:44:26 +0000
Subject: [PATCH] Update Tika to mitigate CVE-2025-54988 and CVE-2025-66516

To do so, we also have to update slf4j, logback, and spotter.
---
 gradle/changelog/tika.yaml | 2 ++
 gradle/dependencies.gradle | 8 ++++----
 yarn.lock                  | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)
 create mode 100644 gradle/changelog/tika.yaml

diff --git a/gradle/changelog/tika.yaml b/gradle/changelog/tika.yaml
new file mode 100644
index 0000000000..32715cefb1
--- /dev/null
+++ b/gradle/changelog/tika.yaml
@@ -0,0 +1,2 @@
+- type: fixed
+  description: Update of Tika to mitigate CVE-2025-54988 and CVE-2025-66516
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index c5de824bbf..0780f1fceb 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -1,5 +1,5 @@
 ext {
-  slf4jVersion = '1.7.36'
+  slf4jVersion = '2.0.17'
   guiceVersion = '7.0.0'
   resteasyVersion = '6.2.12.Final'
 
@@ -40,7 +40,7 @@ ext {
     // logging
     slf4jApi: "org.slf4j:slf4j-api:${slf4jVersion}",
     slf4jJcl: "org.slf4j:jcl-over-slf4j:${slf4jVersion}",
-    logback: 'ch.qos.logback:logback-classic:1.2.9',
+    logback: 'ch.qos.logback:logback-classic:1.5.23',
 
     // injection
     guice: "com.google.inject:guice:${guiceVersion}",
@@ -136,8 +136,8 @@ ext {
     webResources: 'com.github.sdorra:web-resources:2.0.0',
 
     // content type detection
-    spotter: 'com.cloudogu.spotter:spotter-core:4.0.0',
-    tika: 'org.apache.tika:tika-core:1.28.5',
+    spotter: 'com.cloudogu.spotter:spotter-core:4.1.0',
+    tika: 'org.apache.tika:tika-core:3.2.2',
 
     // restart on unix
     akuma: 'org.kohsuke:akuma:1.10',
diff --git a/yarn.lock b/yarn.lock
index 8e0c4fdc1b..336a8939ae 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -3148,7 +3148,7 @@
     unist-util-generated "^1.1.6"
     unist-util-visit "^2.0.3"
 
-"@scm-manager/tsconfig@^2.13.0":
+"@scm-manager/tsconfig@^2.12.0", "@scm-manager/tsconfig@^2.13.0":
   version "2.13.0"
   resolved "https://registry.npmjs.org/@scm-manager/tsconfig/-/tsconfig-2.13.0.tgz"
   integrity sha512-Tc9LZAxHUKd+yVBHcCMyRVYTBjhJez+zj+ABxiTOdZOQp/WtJ2Zt084HWxWEOyrXHI6dgo3qv+1H6P1m+UcpoQ==