You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@poi.apache.org by us...@apache.org on 2014/08/18 08:52:25 UTC

svn commit: r6185 - /release/poi/release/RELEASE-NOTES.txt

Author: uschindler
Date: Mon Aug 18 06:52:25 2014
New Revision: 6185

Log:
Small changes to release notes

Modified:
    release/poi/release/RELEASE-NOTES.txt

Modified: release/poi/release/RELEASE-NOTES.txt
==============================================================================
--- release/poi/release/RELEASE-NOTES.txt (original)
+++ release/poi/release/RELEASE-NOTES.txt Mon Aug 18 06:52:25 2014
@@ -10,15 +10,15 @@ Changes
 The most notable changes in this release are:
 
 This release is a bugfix release to fix two security issues with OOXML:
+ - Tidy up the OPC SAX setup code with a new common Helper, preventing
+   external entity expansion (CVE-2014-3529).
  - On supported XML parser versions (Xerces or JVM built-in, XMLBeans 2.6),
    enforce sensible limits on entity expansion in OOXML files, and ensure
    that subsequent normal files still pass fine (CVE-2014-3574).
- - Tidy up the OPC SAX setup code with a new common Helper, preventing
-   external entity expansion (CVE-2014-3529).
- - Shipped version of xmlbeans.jar dependency updated to v2.6
 
 Please note: You should use xmlbeans-2.6.jar (as shipped with this release)
-instead of the xmlbeans-2.3.jar version from the 3.10-FINAL release.
+instead of the xmlbeans-2.3.jar version from the 3.10-FINAL release to work
+around CVE-2014-3574.
 
 A full list of changes is available in the change log: http://poi.apache.org/changes.html. 
 People interested should also follow the dev mailing list to track further progress.



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org