You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by ce...@apache.org on 2017/03/20 20:06:10 UTC
svn commit: r1787838 - in /poi/site: publish/index.html
src/documentation/content/xdocs/index.xml
Author: centic
Date: Mon Mar 20 20:06:10 2017
New Revision: 1787838
URL: http://svn.apache.org/viewvc?rev=1787838&view=rev
Log:
Publish CVE-2017-5644
Modified:
poi/site/publish/index.html
poi/site/src/documentation/content/xdocs/index.xml
Modified: poi/site/publish/index.html
URL: http://svn.apache.org/viewvc/poi/site/publish/index.html?rev=1787838&r1=1787837&r2=1787838&view=diff
==============================================================================
--- poi/site/publish/index.html (original)
+++ poi/site/publish/index.html Mon Mar 20 20:06:10 2017
@@ -266,11 +266,34 @@ if (VERSION > 3) {
</h3>
</div>
+
+<a name="20+March+2017+-+CVE-2017-5644+-+Possible+DOS+%28Denial+of+Service%29+in+Apache+POI+versions+prior+to+3.15"></a>
+<div class="h4">
+<h4>20 March 2017 - CVE-2017-5644 - Possible DOS (Denial of Service) in Apache POI versions prior to 3.15<a title="Permanent link" class="headerlink" href="#20+March+2017+-+CVE-2017-5644+-+Possible+DOS+%28Denial+of+Service%29+in+Apache+POI+versions+prior+to+3.15">#</a>
+</h4>
+</div>
+
+<p>
+ Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption)
+ via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
+
+ Users with applications which accept content from external or untrusted sources are advised to upgrade to
+ Apache POI 3.15 or newer.
+
+ Thanks to Xiaolong Zhu and Huijun Chen from Huawei Technologies Co., Ltd. for reporting the vulnerability.
+ </p>
+
+<a name="16+March+2017+-+Google+Summer+of+Code"></a>
+<div class="h4">
+<h4>16 March 2017 - Google Summer of Code<a title="Permanent link" class="headerlink" href="#16+March+2017+-+Google+Summer+of+Code">#</a>
+</h4>
+</div>
+
<p>The Apache POI project is participating in Google Summer of Code as a project under the Apache Software Foundation. Pick an area of POI that you would like to see developed further and apply to be a GSoC Student. We will happily mentor individuals even if they are not ultimately enrolled as a GSoC Student by Google. <a href="https://community.apache.org/gsoc.html">Read more...</a>
</p>
-
+
<!-- latest beta release, if newer than latest final release -->
@@ -339,20 +362,6 @@ if (VERSION > 3) {
<p>See the <a href="download.html#POI-3.15">downloads</a> page for more details.</p>
-
-<a name="12+January+2016+-+New+case+study+-+Deutsche+Bahn"></a>
-<div class="h4">
-<h4>12 January 2016 - New case study - Deutsche Bahn<a title="Permanent link" class="headerlink" href="#12+January+2016+-+New+case+study+-+Deutsche+Bahn">#</a>
-</h4>
-</div>
-
-<p>A new case study by Deutsche Bahn was published <a href="casestudies.html#Deutsche+Bahn">here</a>. </p>
-
-<p>It describes how Deutsche Bahn Netz AG (the owner of the German rail infrastructure) uses POI to process specification
- documents for a European-wide railroad cooperation effort (<a href="http://openetcs.org/">openETCS</a>).
- The description contains links to more detailed information so take a look!</p>
-
-
Modified: poi/site/src/documentation/content/xdocs/index.xml
URL: http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/index.xml?rev=1787838&r1=1787837&r2=1787838&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/index.xml (original)
+++ poi/site/src/documentation/content/xdocs/index.xml Mon Mar 20 20:06:10 2017
@@ -34,9 +34,21 @@
<body>
<section><title>Project News</title>
+ <section><title>20 March 2017 - CVE-2017-5644 - Possible DOS (Denial of Service) in Apache POI versions prior to 3.15</title>
+ <p>
+ Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption)
+ via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
- <p>The Apache POI project is participating in Google Summer of Code as a project under the Apache Software Foundation. Pick an area of POI that you would like to see developed further and apply to be a GSoC Student. We will happily mentor individuals even if they are not ultimately enrolled as a GSoC Student by Google. <link href="https://community.apache.org/gsoc.html">Read more...</link></p>
+ Users with applications which accept content from external or untrusted sources are advised to upgrade to
+ Apache POI 3.15 or newer.
+ Thanks to Xiaolong Zhu and Huijun Chen from Huawei Technologies Co., Ltd. for reporting the vulnerability.
+ </p>
+ </section>
+
+ <section><title>16 March 2017 - Google Summer of Code</title>
+ <p>The Apache POI project is participating in Google Summer of Code as a project under the Apache Software Foundation. Pick an area of POI that you would like to see developed further and apply to be a GSoC Student. We will happily mentor individuals even if they are not ultimately enrolled as a GSoC Student by Google. <link href="https://community.apache.org/gsoc.html">Read more...</link></p>
+ </section>
<!-- latest beta release, if newer than latest final release -->
<section><title>02 February 2017 - POI 3.16 beta 2 available</title>
@@ -80,13 +92,6 @@
<p>See the <link href="download.html#POI-3.15">downloads</link> page for more details.</p>
</section>
- <section><title>12 January 2016 - New case study - Deutsche Bahn</title>
- <p>A new case study by Deutsche Bahn was published <link href="casestudies.html#Deutsche+Bahn">here</link>. </p>
- <p>It describes how Deutsche Bahn Netz AG (the owner of the German rail infrastructure) uses POI to process specification
- documents for a European-wide railroad cooperation effort (<link href="http://openetcs.org/">openETCS</link>).
- The description contains links to more detailed information so take a look!</p>
- </section>
-
</section>
<section><title>Mission Statement</title>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org