You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by ni...@apache.org on 2014/10/27 20:42:25 UTC

svn commit: r1634661 - /poi/site/src/documentation/RN-Changes-3.11.txt

Author: nick
Date: Mon Oct 27 19:42:25 2014
New Revision: 1634661

URL: http://svn.apache.org/r1634661
Log:
Record the 3.11 beta 2 release notes, which will be needed for final, and start on the 3.11 beta 3 ones

Modified:
    poi/site/src/documentation/RN-Changes-3.11.txt

Modified: poi/site/src/documentation/RN-Changes-3.11.txt
URL: http://svn.apache.org/viewvc/poi/site/src/documentation/RN-Changes-3.11.txt?rev=1634661&r1=1634660&r2=1634661&view=diff
==============================================================================
--- poi/site/src/documentation/RN-Changes-3.11.txt (original)
+++ poi/site/src/documentation/RN-Changes-3.11.txt Mon Oct 27 19:42:25 2014
@@ -1,6 +1,40 @@
 @List changes here@
 
-[TODO Add 3.11 beta 2 items here]
+[TODO Add 3.11 Finaly items here]
+
+[TODO Add remaining 3.11 beta 3 items here]
+
+Backwards Incompatible changes:
+
+The minimum Apache Ant version has been increased to Apache Ant 1.8
+
+[Beta 2 Changes]
+
+This release fixes two security issues with OOXML:
+
+ - Tidy up the OPC SAX setup code with a new common Helper, preventing
+   external entity expansion (CVE-2014-3529).
+ - On supported XML parser versions (Xerces or JVM built-in, XMLBeans 2.6),
+   enforce sensible limits on entity expansion in OOXML files, and ensure
+   that subsequent normal files still pass fine (CVE-2014-3574).
+
+Please note: You should use xmlbeans-2.6.jar (as shipped with this release)
+instead of the xmlbeans-2.3.jar version from the 3.10-FINAL release to work
+around CVE-2014-3574. If you have an alternate XML parser like Apache Xerces
+in classpath, be sure to use a recent version! Older versions are likely to
+break on setting required security features.
+
+Thanks to Stefan Kopf, Mike Boufford, Mohamed Ramadan, and Christian Schneider
+for reporting these issues!
+
+Other notable changes in this release are:
+
+ - Switch from dom4j to JAXP: dom4j is no longer a dependency of Apache POI,
+   it solely uses xmlbeans-2.6.jar and the DOM implementation as shipped by the JDK.
+ - For XSLF Pictures, provide a way to get the URI of externally linked pictures
+ - Provide a helpful exception, XLSBUnsupportedException, if XSSFWorkbook is passed a .xlsb file
+
+[Beta 1 Changes]
 
 Recommended Apache XMLBeans version increased to 2.6.0 (any version from 
  2.3.0 or later will work though)



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org