You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by us...@apache.org on 2014/08/18 08:52:25 UTC
svn commit: r6185 - /release/poi/release/RELEASE-NOTES.txt
Author: uschindler
Date: Mon Aug 18 06:52:25 2014
New Revision: 6185
Log:
Small changes to release notes
Modified:
release/poi/release/RELEASE-NOTES.txt
Modified: release/poi/release/RELEASE-NOTES.txt
==============================================================================
--- release/poi/release/RELEASE-NOTES.txt (original)
+++ release/poi/release/RELEASE-NOTES.txt Mon Aug 18 06:52:25 2014
@@ -10,15 +10,15 @@ Changes
The most notable changes in this release are:
This release is a bugfix release to fix two security issues with OOXML:
+ - Tidy up the OPC SAX setup code with a new common Helper, preventing
+ external entity expansion (CVE-2014-3529).
- On supported XML parser versions (Xerces or JVM built-in, XMLBeans 2.6),
enforce sensible limits on entity expansion in OOXML files, and ensure
that subsequent normal files still pass fine (CVE-2014-3574).
- - Tidy up the OPC SAX setup code with a new common Helper, preventing
- external entity expansion (CVE-2014-3529).
- - Shipped version of xmlbeans.jar dependency updated to v2.6
Please note: You should use xmlbeans-2.6.jar (as shipped with this release)
-instead of the xmlbeans-2.3.jar version from the 3.10-FINAL release.
+instead of the xmlbeans-2.3.jar version from the 3.10-FINAL release to work
+around CVE-2014-3574.
A full list of changes is available in the change log: http://poi.apache.org/changes.html.
People interested should also follow the dev mailing list to track further progress.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org