You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by ki...@apache.org on 2019/10/19 17:58:33 UTC

svn commit: r36392 - /dev/poi/4.1.1-RC2/ /release/poi/dev/ /release/poi/release/ /release/poi/release/bin/ /release/poi/release/maven/ /release/poi/release/src/

Author: kiwiwings
Date: Sat Oct 19 17:58:33 2019
New Revision: 36392

Log:
deploy 4.1.1 release artifacts from staging area

Added:
    release/poi/dev/RELEASE-NOTES-4.1.1.txt
      - copied, changed from r36391, dev/poi/4.1.1-RC2/RELEASE-NOTES.txt
    release/poi/release/bin/poi-bin-4.1.1-20191023.tar.gz
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-bin-4.1.1-20191023.tar.gz
    release/poi/release/bin/poi-bin-4.1.1-20191023.tar.gz.asc
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-bin-4.1.1-20191023.tar.gz.asc
    release/poi/release/bin/poi-bin-4.1.1-20191023.tar.gz.sha256
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-bin-4.1.1-20191023.tar.gz.sha256
    release/poi/release/bin/poi-bin-4.1.1-20191023.tar.gz.sha512
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-bin-4.1.1-20191023.tar.gz.sha512
    release/poi/release/bin/poi-bin-4.1.1-20191023.zip
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-bin-4.1.1-20191023.zip
    release/poi/release/bin/poi-bin-4.1.1-20191023.zip.asc
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-bin-4.1.1-20191023.zip.asc
    release/poi/release/bin/poi-bin-4.1.1-20191023.zip.sha256
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-bin-4.1.1-20191023.zip.sha256
    release/poi/release/bin/poi-bin-4.1.1-20191023.zip.sha512
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-bin-4.1.1-20191023.zip.sha512
    release/poi/release/maven/
      - copied from r36391, dev/poi/4.1.1-RC2/maven/
    release/poi/release/src/poi-src-4.1.1-20191023.tar.gz
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-src-4.1.1-20191023.tar.gz
    release/poi/release/src/poi-src-4.1.1-20191023.tar.gz.asc
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-src-4.1.1-20191023.tar.gz.asc
    release/poi/release/src/poi-src-4.1.1-20191023.tar.gz.sha256
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-src-4.1.1-20191023.tar.gz.sha256
    release/poi/release/src/poi-src-4.1.1-20191023.tar.gz.sha512
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-src-4.1.1-20191023.tar.gz.sha512
    release/poi/release/src/poi-src-4.1.1-20191023.zip
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-src-4.1.1-20191023.zip
    release/poi/release/src/poi-src-4.1.1-20191023.zip.asc
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-src-4.1.1-20191023.zip.asc
    release/poi/release/src/poi-src-4.1.1-20191023.zip.sha256
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-src-4.1.1-20191023.zip.sha256
    release/poi/release/src/poi-src-4.1.1-20191023.zip.sha512
      - copied unchanged from r36391, dev/poi/4.1.1-RC2/poi-src-4.1.1-20191023.zip.sha512
Removed:
    dev/poi/4.1.1-RC2/
    release/poi/release/bin/poi-bin-4.1.0-20190412.tar.gz
    release/poi/release/bin/poi-bin-4.1.0-20190412.tar.gz.asc
    release/poi/release/bin/poi-bin-4.1.0-20190412.tar.gz.md5
    release/poi/release/bin/poi-bin-4.1.0-20190412.tar.gz.sha1
    release/poi/release/bin/poi-bin-4.1.0-20190412.tar.gz.sha256
    release/poi/release/bin/poi-bin-4.1.0-20190412.tar.gz.sha512
    release/poi/release/bin/poi-bin-4.1.0-20190412.zip
    release/poi/release/bin/poi-bin-4.1.0-20190412.zip.asc
    release/poi/release/bin/poi-bin-4.1.0-20190412.zip.md5
    release/poi/release/bin/poi-bin-4.1.0-20190412.zip.sha1
    release/poi/release/bin/poi-bin-4.1.0-20190412.zip.sha256
    release/poi/release/bin/poi-bin-4.1.0-20190412.zip.sha512
    release/poi/release/src/poi-src-4.1.0-20190412.tar.gz
    release/poi/release/src/poi-src-4.1.0-20190412.tar.gz.asc
    release/poi/release/src/poi-src-4.1.0-20190412.tar.gz.md5
    release/poi/release/src/poi-src-4.1.0-20190412.tar.gz.sha1
    release/poi/release/src/poi-src-4.1.0-20190412.tar.gz.sha256
    release/poi/release/src/poi-src-4.1.0-20190412.tar.gz.sha512
    release/poi/release/src/poi-src-4.1.0-20190412.zip
    release/poi/release/src/poi-src-4.1.0-20190412.zip.asc
    release/poi/release/src/poi-src-4.1.0-20190412.zip.md5
    release/poi/release/src/poi-src-4.1.0-20190412.zip.sha1
    release/poi/release/src/poi-src-4.1.0-20190412.zip.sha256
    release/poi/release/src/poi-src-4.1.0-20190412.zip.sha512
Modified:
    release/poi/release/RELEASE-NOTES.txt

Copied: release/poi/dev/RELEASE-NOTES-4.1.1.txt (from r36391, dev/poi/4.1.1-RC2/RELEASE-NOTES.txt)
==============================================================================
--- dev/poi/4.1.1-RC2/RELEASE-NOTES.txt (original)
+++ release/poi/dev/RELEASE-NOTES-4.1.1.txt Sat Oct 19 17:58:33 2019
@@ -15,10 +15,42 @@ The most notable changes in this release
 - XWPF: Additional API methods
 - XSSF: Fixes to XSSFSheet.addMergedRegion() and XSSFRow.shiftRows()
 - EMF/HSLF: Rendering fixes
+- CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI
 
 A full list of changes is available in the change log: https://poi.apache.org/changes.html. 
 People interested should also follow the dev mailing list to track further progress.
 
+
+CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI
+-------------------------------------------------------------------
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache POI up to version 4.1.0
+
+Description:
+When using the tool XSSFExportToXml to convert user-provided Microsoft
+Excel documents, a specially crafted document can allow an attacker to
+read files from the local filesystem or from internal network resources
+via XML External Entity (XXE) Processing.
+
+Mitigation:
+Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml
+are not affected. affected users are advised to update to Apache POI 4.1.1
+which fixes this vulnerability.
+
+Credit:
+This issue was discovered by Artem Smotrakov from SAP
+
+References:
+https://en.wikipedia.org/wiki/XML_external_entity_attack
+
+
+
 Release Contents
 ----------------
 

Modified: release/poi/release/RELEASE-NOTES.txt
==============================================================================
--- release/poi/release/RELEASE-NOTES.txt (original)
+++ release/poi/release/RELEASE-NOTES.txt Sat Oct 19 17:58:33 2019
@@ -1,53 +1,81 @@
-The Apache POI project is pleased to announce the release of POI 4.1.0. 
-Featured are a handful of new areas of functionality, and numerous bug fixes.
-
-See the downloads page for binary and source distributions: https://poi.apache.org/download.html
-
-Release Notes 
-
-Changes
-------------
-The most notable changes in this release are:
-
-* Improved support/fixes for Java 9+ and IBM JVM
-* New EMF renderer and support of SVG images in XSLF
-* Security, stability and memory/resource handling improvements
-* Various bug fixes across function and conditional format rule evaluation
-* Upgrade to XMLBeans 3.1.0
-* Upgrade to Bouncycastle 1.61
-* Upgrade to Curvesapi 1.06
-* Upgrade to Commons-Codec 1.12
-* Upgrade to Commons-Collections4 4.3
-* Upgrade to XMLSec 2.1.2
-
-A full list of changes is available in the change log: https://poi.apache.org/changes.html. 
-People interested should also follow the dev mailing list to track further progress.
-
-Release Contents
-----------------
-
-This release comes in two forms:
- - pre-built binaries containing compiled versions of all Apache POI components and documentation 
-   (poi-bin-4.1.0-20190412.zip or poi-bin-4.1.0-20190412.tar.gz)
- - source archive you can build POI from (poi-src-4.1.0-20190412.zip or poi-src-4.1.0-20190412.tar.gz)
-  Unpack the archive and use the following command to build all POI components with Apache Ant 1.8+ and JDK 1.8 or higher:
-
-  ant jar
-
- Pre-built versions of all POI components are also available in the central Maven repository 
- under Group ID "org.apache.poi" and Version "4.1.0"
-
-All release artifacts are accompanied by MD5 checksums and PGP signatures
-that you can use to verify the authenticity of your download.
-The public key used for the PGP signature can be found at 
-https://svn.apache.org/repos/asf/poi/tags/REL_4_1_0/KEYS
-
-About Apache POI
------------------------
-
-Apache POI is well-known in the Java field as a library for reading and
-writing Microsoft Office file formats, such as Excel, PowerPoint, Word,
-Visio, Publisher and Outlook. It supports both the older (OLE2) and
-new (OOXML - Office Open XML) formats.
-
-See https://poi.apache.org/ for more details
+The Apache POI project is pleased to announce the release of POI 4.1.1. 
+Featured are a handful of new areas of functionality, and numerous bug fixes.
+
+See the downloads page for binary and source distributions: https://poi.apache.org/download.html
+
+Release Notes 
+
+Changes
+------------
+The most notable changes in this release are:
+
+- XSSF: Memory improvements which use much less memory while writing large xlsx files
+- XDDF: Improved chart support: more types and some API changes around angles and width units
+- updated dependencies to Bouncycastle 1.62, Commons-Codec 1.13, Commons-Collections4 4.4, Commons-Compress 1.19
+- XWPF: Additional API methods
+- XSSF: Fixes to XSSFSheet.addMergedRegion() and XSSFRow.shiftRows()
+- EMF/HSLF: Rendering fixes
+- CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI
+
+A full list of changes is available in the change log: https://poi.apache.org/changes.html. 
+People interested should also follow the dev mailing list to track further progress.
+
+
+CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI
+-------------------------------------------------------------------
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache POI up to version 4.1.0
+
+Description:
+When using the tool XSSFExportToXml to convert user-provided Microsoft
+Excel documents, a specially crafted document can allow an attacker to
+read files from the local filesystem or from internal network resources
+via XML External Entity (XXE) Processing.
+
+Mitigation:
+Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml
+are not affected. affected users are advised to update to Apache POI 4.1.1
+which fixes this vulnerability.
+
+Credit:
+This issue was discovered by Artem Smotrakov from SAP
+
+References:
+https://en.wikipedia.org/wiki/XML_external_entity_attack
+
+
+
+Release Contents
+----------------
+
+This release comes in two forms:
+ - pre-built binaries containing compiled versions of all Apache POI components and documentation 
+   (poi-bin-4.1.1-20191023.zip or poi-bin-4.1.1-20191023.tar.gz)
+ - source archive you can build POI from (poi-src-4.1.1-20191023.zip or poi-src-4.1.1-20191023.tar.gz)
+  Unpack the archive and use the following command to build all POI components with Apache Ant 1.8+ and JDK 1.8 or higher:
+
+  ant jar
+
+ Pre-built versions of all POI components are also available in the central Maven repository 
+ under Group ID "org.apache.poi" and Version "4.1.1"
+
+All release artifacts are accompanied by MD5 checksums and PGP signatures
+that you can use to verify the authenticity of your download.
+The public key used for the PGP signature can be found at 
+https://svn.apache.org/repos/asf/poi/tags/REL_4_1_1/KEYS
+
+About Apache POI
+-----------------------
+
+Apache POI is well-known in the Java field as a library for reading and
+writing Microsoft Office file formats, such as Excel, PowerPoint, Word,
+Visio, Publisher and Outlook. It supports both the older (OLE2) and
+new (OOXML - Office Open XML) formats.
+
+See https://poi.apache.org/ for more details



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org