poi-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Beeker <kiwiwi...@apache.org>
Subject [ANNOUNCE] Apache POI 4.1.1 released
Date Sun, 20 Oct 2019 19:52:46 GMT
The Apache POI project is pleased to announce the release of POI 4.1.1.
Featured are a handful of new areas of functionality, and numerous bug fixes.

See the downloads page for binary and source distributions: https://poi.apache.org/download.html

Release Notes

Changes
------------
The most notable changes in this release are:

- XSSF: Memory improvements which use much less memory while writing large xlsx files
- XDDF: Improved chart support: more types and some API changes around angles and width units
- updated dependencies to Bouncycastle 1.62, Commons-Codec 1.13, Commons-Collections4 4.4,
Commons-Compress 1.19
- XWPF: Additional API methods
- XSSF: Fixes to XSSFSheet.addMergedRegion() and XSSFRow.shiftRows()
- EMF/HSLF: Rendering fixes
- CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI

A full list of changes is available in the change log: https://poi.apache.org/changes.html.
People interested should also follow the dev mailing list to track further progress.


CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI
-------------------------------------------------------------------

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache POI up to version 4.1.0

Description:
When using the tool XSSFExportToXml to convert user-provided Microsoft
Excel documents, a specially crafted document can allow an attacker to
read files from the local filesystem or from internal network resources
via XML External Entity (XXE) Processing.

Mitigation:
Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml
are not affected. affected users are advised to update to Apache POI 4.1.1
which fixes this vulnerability.

Credit:
This issue was discovered by Artem Smotrakov from SAP

References:
https://en.wikipedia.org/wiki/XML_external_entity_attack



Release Contents
----------------

This release comes in two forms:
 - pre-built binaries containing compiled versions of all Apache POI components and documentation
   (poi-bin-4.1.1-20191023.zip or poi-bin-4.1.1-20191023.tar.gz)
 - source archive you can build POI from (poi-src-4.1.1-20191023.zip or poi-src-4.1.1-20191023.tar.gz)
  Unpack the archive and use the following command to build all POI components with Apache
Ant 1.8+ and JDK 1.8 or higher:

  ant jar

 Pre-built versions of all POI components are also available in the central Maven repository
 under Group ID "org.apache.poi" and Version "4.1.1"

All release artifacts are accompanied by MD5 checksums and PGP signatures
that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/poi/tags/REL_4_1_1/KEYS

About Apache POI
-----------------------

Apache POI is well-known in the Java field as a library for reading and
writing Microsoft Office file formats, such as Excel, PowerPoint, Word,
Visio, Publisher and Outlook. It supports both the older (OLE2) and
new (OOXML - Office Open XML) formats.

See https://poi.apache.org/ for more details



Thanks to all our contributors for making this release possible.

On behalf of the Apache POI PMC,
Andi



Mime
View raw message