You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Uwe Schindler <us...@apache.org> on 2014/08/19 01:25:04 UTC

[ANNOUNCE] Apache POI 3.10.1 released

The Apache POI project is pleased to announce the release of POI 3.10.1-20140818. 
This release is a bugfix release to fix two security issues with OOXML.

See the downloads page for binary and source distributions: http://poi.apache.org/download.html

Note: The Apache Software Foundation uses an extensive mirroring network
for distributing releases. It is possible that the mirror you are using
may not have replicated the release yet. If that is the case, please
try another mirror. This also goes for Maven access.

Release Notes 

Changes
------------
The most notable changes in this release are:

This release is a bugfix release to fix two security issues with OOXML:
 - Tidy up the OPC SAX setup code with a new common Helper, preventing
   external entity expansion (CVE-2014-3529).
 - On supported XML parser versions (Xerces or JVM built-in, XMLBeans 2.6),
   enforce sensible limits on entity expansion in OOXML files, and ensure
   that subsequent normal files still pass fine (CVE-2014-3574).

Please note: You should use xmlbeans-2.6.jar (as shipped with this release)
instead of the xmlbeans-2.3.jar version from the 3.10-FINAL release to work
around CVE-2014-3574. If you have an alternate XML parser like Apache Xerces
in classpath, be sure to use a recent version! Older versions are likely to
break on setting required security features.

Thanks to Stefan Kopf, Mike Boufford, and Christian Schneider for reporting
these issues!

A full list of changes is available in the change log: http://poi.apache.org/changes.html. 
People interested should also follow the dev mailing list to track further progress.

Release Contents
----------------

This release comes in two forms:
 - pre-built binaries containing compiled versions of all Apache POI components and documentation 
   (poi-bin-3.10.1-20140818.zip or poi-bin-3.10.1-20140818.tar.gz)
 - source archive you can build POI from (poi-src-3.10.1-20140818.zip or poi-src-3.10.1-20140818.tar.gz)
  Unpack the archive and use  the following command to build all POI components with Apache Ant 1.6+ and JDK 1.5 or higher:

  ant jar

 Pre-built versions of all POI components are also available in the central Maven repository 
 under Group ID "org.apache.poi" and Version "3.10.1-20140818"

All release artifacts are accompanied by MD5 checksums and a PGP signatures 
that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at 
http://svn.apache.org/repos/asf/poi/tags/REL_3_10_1/KEYS

About Apache POI
-----------------------

Apache POI is well-known in the Java field as a library for reading and
writing Microsoft Office file formats, such as Excel, PowerPoint, Visio and
Word. Since POI 3.5, the new OOXML (Office Open XML) formats introduced in Office 2007 have been supported.
See http://poi.apache.org/ for more details

On behalf of the Apache POI PMC,
Uwe

-----
Uwe Schindler
uschindler@apache.org 
Apache Lucene PMC Member / Committer
Apache POI PMC Member / Committer
Bremen, Germany
http://lucene.apache.org/

RE: [ANNOUNCE] Apache POI 3.10.1 released

Posted by Martin Gainty <mg...@hotmail.com>.
As long I can read docx I am eternally grateful

Vielen Danke Uwe

Martin 
________________


> From: uschindler@apache.org
> To: announce@apache.org
> CC: dev@poi.apache.org; user@poi.apache.org; announcements@jakarta.apache.org
> Subject: [ANNOUNCE] Apache POI 3.10.1 released
> Date: Tue, 19 Aug 2014 01:25:04 +0200
> 
> The Apache POI project is pleased to announce the release of POI 3.10.1-20140818. 
> This release is a bugfix release to fix two security issues with OOXML.
> 
> See the downloads page for binary and source distributions: http://poi.apache.org/download.html
> 
> Note: The Apache Software Foundation uses an extensive mirroring network
> for distributing releases. It is possible that the mirror you are using
> may not have replicated the release yet. If that is the case, please
> try another mirror. This also goes for Maven access.
> 
> Release Notes 
> 
> Changes
> ------------
> The most notable changes in this release are:
> 
> This release is a bugfix release to fix two security issues with OOXML:
>  - Tidy up the OPC SAX setup code with a new common Helper, preventing
>    external entity expansion (CVE-2014-3529).
>  - On supported XML parser versions (Xerces or JVM built-in, XMLBeans 2.6),
>    enforce sensible limits on entity expansion in OOXML files, and ensure
>    that subsequent normal files still pass fine (CVE-2014-3574).
> 
> Please note: You should use xmlbeans-2.6.jar (as shipped with this release)
> instead of the xmlbeans-2.3.jar version from the 3.10-FINAL release to work
> around CVE-2014-3574. If you have an alternate XML parser like Apache Xerces
> in classpath, be sure to use a recent version! Older versions are likely to
> break on setting required security features.
> 
> Thanks to Stefan Kopf, Mike Boufford, and Christian Schneider for reporting
> these issues!
> 
> A full list of changes is available in the change log: http://poi.apache.org/changes.html. 
> People interested should also follow the dev mailing list to track further progress.
> 
> Release Contents
> ----------------
> 
> This release comes in two forms:
>  - pre-built binaries containing compiled versions of all Apache POI components and documentation 
>    (poi-bin-3.10.1-20140818.zip or poi-bin-3.10.1-20140818.tar.gz)
>  - source archive you can build POI from (poi-src-3.10.1-20140818.zip or poi-src-3.10.1-20140818.tar.gz)
>   Unpack the archive and use  the following command to build all POI components with Apache Ant 1.6+ and JDK 1.5 or higher:
> 
>   ant jar
> 
>  Pre-built versions of all POI components are also available in the central Maven repository 
>  under Group ID "org.apache.poi" and Version "3.10.1-20140818"
> 
> All release artifacts are accompanied by MD5 checksums and a PGP signatures 
> that you can use to verify the authenticity of your download.
> The public key used for the PGP signature can be found at 
> http://svn.apache.org/repos/asf/poi/tags/REL_3_10_1/KEYS
> 
> About Apache POI
> -----------------------
> 
> Apache POI is well-known in the Java field as a library for reading and
> writing Microsoft Office file formats, such as Excel, PowerPoint, Visio and
> Word. Since POI 3.5, the new OOXML (Office Open XML) formats introduced in Office 2007 have been supported.
> See http://poi.apache.org/ for more details
> 
> On behalf of the Apache POI PMC,
> Uwe
> 
> -----
> Uwe Schindler
> uschindler@apache.org 
> Apache Lucene PMC Member / Committer
> Apache POI PMC Member / Committer
> Bremen, Germany
> http://lucene.apache.org/
> 
>