poi-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Javen O'Neal" <one...@apache.org>
Subject RE: [ANNOUNCE] Apache POI 3.17 released
Date Tue, 19 Sep 2017 15:28:49 GMT
+1, two CVE's.

On Sep 19, 2017 05:00, "Allison, Timothy B." <tallison@mitre.org> wrote:

> Resending with proper cc.  Thank you, Nick!
>
> -----Original Message-----
> From: Allison, Timothy B.
> Sent: Tuesday, September 19, 2017 7:57 AM
> To: user@poi.apache.org
> Subject: RE: [ANNOUNCE] Apache POI 3.17 released
>
> David,
>   Thank you for raising this issue.  If fellow devs are +1, I can fill out
> the paper work.  Single CVE or multiple?
>
>       Best,
>
>              Tim
>
> -----Original Message-----
> From: davidedillard@gmail.com [mailto:davidedillard@gmail.com]
> Sent: Monday, September 18, 2017 12:40 PM
> To: user@poi.apache.org
> Subject: Re: [ANNOUNCE] Apache POI 3.17 released
>
> On 2017-09-16 18:06, Andreas Beeker <kiwiwings@apache.org> wrote:
> > The Apache POI project is pleased to announce the release of POI 3.17.
> > Featured are a handful of new areas of functionality, and numerous bug
> fixes.
> > Changes
> > ------------
> > The most notable changes in this release are:
> >
> > - Various modules: add sanity checks and fix infinite loops / OOMs
> > caused by fuzzed data
>
> I've looked through the specific changes and several appear to be
> vulnerabilities (e.g. 61294 and 61300 among others).  Is the POI project
> planning to get CVEs for these issues?  If not, I'm happy to get them
> myself.  It makes the world a better place :-)
>
>
> Thanks,
>
> David
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@poi.apache.org For additional
> commands, e-mail: user-help@poi.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
> For additional commands, e-mail: user-help@poi.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message