You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Andreas Beeker <ki...@apache.org> on 2019/10/20 19:52:46 UTC
[ANNOUNCE] Apache POI 4.1.1 released
The Apache POI project is pleased to announce the release of POI 4.1.1.
Featured are a handful of new areas of functionality, and numerous bug fixes.
See the downloads page for binary and source distributions: https://poi.apache.org/download.html
Release Notes
Changes
------------
The most notable changes in this release are:
- XSSF: Memory improvements which use much less memory while writing large xlsx files
- XDDF: Improved chart support: more types and some API changes around angles and width units
- updated dependencies to Bouncycastle 1.62, Commons-Codec 1.13, Commons-Collections4 4.4, Commons-Compress 1.19
- XWPF: Additional API methods
- XSSF: Fixes to XSSFSheet.addMergedRegion() and XSSFRow.shiftRows()
- EMF/HSLF: Rendering fixes
- CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI
A full list of changes is available in the change log: https://poi.apache.org/changes.html.
People interested should also follow the dev mailing list to track further progress.
CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI
-------------------------------------------------------------------
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache POI up to version 4.1.0
Description:
When using the tool XSSFExportToXml to convert user-provided Microsoft
Excel documents, a specially crafted document can allow an attacker to
read files from the local filesystem or from internal network resources
via XML External Entity (XXE) Processing.
Mitigation:
Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml
are not affected. affected users are advised to update to Apache POI 4.1.1
which fixes this vulnerability.
Credit:
This issue was discovered by Artem Smotrakov from SAP
References:
https://en.wikipedia.org/wiki/XML_external_entity_attack
Release Contents
----------------
This release comes in two forms:
- pre-built binaries containing compiled versions of all Apache POI components and documentation
(poi-bin-4.1.1-20191023.zip or poi-bin-4.1.1-20191023.tar.gz)
- source archive you can build POI from (poi-src-4.1.1-20191023.zip or poi-src-4.1.1-20191023.tar.gz)
Unpack the archive and use the following command to build all POI components with Apache Ant 1.8+ and JDK 1.8 or higher:
ant jar
Pre-built versions of all POI components are also available in the central Maven repository
under Group ID "org.apache.poi" and Version "4.1.1"
All release artifacts are accompanied by MD5 checksums and PGP signatures
that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/poi/tags/REL_4_1_1/KEYS
About Apache POI
-----------------------
Apache POI is well-known in the Java field as a library for reading and
writing Microsoft Office file formats, such as Excel, PowerPoint, Word,
Visio, Publisher and Outlook. It supports both the older (OLE2) and
new (OOXML - Office Open XML) formats.
See https://poi.apache.org/ for more details
Thanks to all our contributors for making this release possible.
On behalf of the Apache POI PMC,
Andi
Re: [ANNOUNCE] Apache POI 4.1.1 released
Posted by Tim Allison <ta...@apache.org>.
All,
Thank you for this release! I'm sorry that I was mostly AWOL.
Andi,
Thank you for running this release!
Cheers,
Tim
On Sun, Oct 20, 2019 at 3:52 PM Andreas Beeker <ki...@apache.org> wrote:
> The Apache POI project is pleased to announce the release of POI 4.1.1.
> Featured are a handful of new areas of functionality, and numerous bug
> fixes.
>
> See the downloads page for binary and source distributions:
> https://poi.apache.org/download.html
>
> Release Notes
>
> Changes
> ------------
> The most notable changes in this release are:
>
> - XSSF: Memory improvements which use much less memory while writing large
> xlsx files
> - XDDF: Improved chart support: more types and some API changes around
> angles and width units
> - updated dependencies to Bouncycastle 1.62, Commons-Codec 1.13,
> Commons-Collections4 4.4, Commons-Compress 1.19
> - XWPF: Additional API methods
> - XSSF: Fixes to XSSFSheet.addMergedRegion() and XSSFRow.shiftRows()
> - EMF/HSLF: Rendering fixes
> - CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI
>
> A full list of changes is available in the change log:
> https://poi.apache.org/changes.html.
> People interested should also follow the dev mailing list to track further
> progress.
>
>
> CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI
> -------------------------------------------------------------------
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache POI up to version 4.1.0
>
> Description:
> When using the tool XSSFExportToXml to convert user-provided Microsoft
> Excel documents, a specially crafted document can allow an attacker to
> read files from the local filesystem or from internal network resources
> via XML External Entity (XXE) Processing.
>
> Mitigation:
> Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml
> are not affected. affected users are advised to update to Apache POI 4.1.1
> which fixes this vulnerability.
>
> Credit:
> This issue was discovered by Artem Smotrakov from SAP
>
> References:
> https://en.wikipedia.org/wiki/XML_external_entity_attack
>
>
>
> Release Contents
> ----------------
>
> This release comes in two forms:
> - pre-built binaries containing compiled versions of all Apache POI
> components and documentation
> (poi-bin-4.1.1-20191023.zip or poi-bin-4.1.1-20191023.tar.gz)
> - source archive you can build POI from (poi-src-4.1.1-20191023.zip or
> poi-src-4.1.1-20191023.tar.gz)
> Unpack the archive and use the following command to build all POI
> components with Apache Ant 1.8+ and JDK 1.8 or higher:
>
> ant jar
>
> Pre-built versions of all POI components are also available in the
> central Maven repository
> under Group ID "org.apache.poi" and Version "4.1.1"
>
> All release artifacts are accompanied by MD5 checksums and PGP signatures
> that you can use to verify the authenticity of your download.
> The public key used for the PGP signature can be found at
> https://svn.apache.org/repos/asf/poi/tags/REL_4_1_1/KEYS
>
> About Apache POI
> -----------------------
>
> Apache POI is well-known in the Java field as a library for reading and
> writing Microsoft Office file formats, such as Excel, PowerPoint, Word,
> Visio, Publisher and Outlook. It supports both the older (OLE2) and
> new (OOXML - Office Open XML) formats.
>
> See https://poi.apache.org/ for more details
>
>
>
> Thanks to all our contributors for making this release possible.
>
> On behalf of the Apache POI PMC,
> Andi
>
>
>