You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by us...@apache.org on 2014/08/20 15:58:56 UTC

svn commit: r6212 - in /release/poi/dev: ./ bin/ src/

Author: uschindler
Date: Wed Aug 20 13:58:56 2014
New Revision: 6212

Log:
Push 3.11-beta2 release to Apache Mirrors

Added:
    release/poi/dev/RELEASE-NOTES.txt
      - copied, changed from r6181, dev/poi/3.11-beta2-RC1/RELEASE-NOTES.txt
    release/poi/dev/bin/poi-bin-3.11-beta2-20140822.tar.gz
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/bin/poi-bin-3.11-beta2-20140822.tar.gz
    release/poi/dev/bin/poi-bin-3.11-beta2-20140822.tar.gz.asc
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/bin/poi-bin-3.11-beta2-20140822.tar.gz.asc
    release/poi/dev/bin/poi-bin-3.11-beta2-20140822.tar.gz.md5
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/bin/poi-bin-3.11-beta2-20140822.tar.gz.md5
    release/poi/dev/bin/poi-bin-3.11-beta2-20140822.tar.gz.sha1
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/bin/poi-bin-3.11-beta2-20140822.tar.gz.sha1
    release/poi/dev/bin/poi-bin-3.11-beta2-20140822.zip
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/bin/poi-bin-3.11-beta2-20140822.zip
    release/poi/dev/bin/poi-bin-3.11-beta2-20140822.zip.asc
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/bin/poi-bin-3.11-beta2-20140822.zip.asc
    release/poi/dev/bin/poi-bin-3.11-beta2-20140822.zip.md5
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/bin/poi-bin-3.11-beta2-20140822.zip.md5
    release/poi/dev/bin/poi-bin-3.11-beta2-20140822.zip.sha1
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/bin/poi-bin-3.11-beta2-20140822.zip.sha1
    release/poi/dev/src/poi-src-3.11-beta2-20140822.tar.gz
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/src/poi-src-3.11-beta2-20140822.tar.gz
    release/poi/dev/src/poi-src-3.11-beta2-20140822.tar.gz.asc
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/src/poi-src-3.11-beta2-20140822.tar.gz.asc
    release/poi/dev/src/poi-src-3.11-beta2-20140822.tar.gz.md5
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/src/poi-src-3.11-beta2-20140822.tar.gz.md5
    release/poi/dev/src/poi-src-3.11-beta2-20140822.tar.gz.sha1
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/src/poi-src-3.11-beta2-20140822.tar.gz.sha1
    release/poi/dev/src/poi-src-3.11-beta2-20140822.zip
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/src/poi-src-3.11-beta2-20140822.zip
    release/poi/dev/src/poi-src-3.11-beta2-20140822.zip.asc
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/src/poi-src-3.11-beta2-20140822.zip.asc
    release/poi/dev/src/poi-src-3.11-beta2-20140822.zip.md5
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/src/poi-src-3.11-beta2-20140822.zip.md5
    release/poi/dev/src/poi-src-3.11-beta2-20140822.zip.sha1
      - copied unchanged from r6181, dev/poi/3.11-beta2-RC1/src/poi-src-3.11-beta2-20140822.zip.sha1

Copied: release/poi/dev/RELEASE-NOTES.txt (from r6181, dev/poi/3.11-beta2-RC1/RELEASE-NOTES.txt)
==============================================================================
--- dev/poi/3.11-beta2-RC1/RELEASE-NOTES.txt (original)
+++ release/poi/dev/RELEASE-NOTES.txt Wed Aug 20 13:58:56 2014
@@ -7,9 +7,27 @@ Release Notes 
 
 Changes
 ------------
-The most notable changes in this release are:
+This release fixes two security issues with OOXML:
 
-@List changes here@
+ - Tidy up the OPC SAX setup code with a new common Helper, preventing
+   external entity expansion (CVE-2014-3529).
+ - On supported XML parser versions (Xerces or JVM built-in, XMLBeans 2.6),
+   enforce sensible limits on entity expansion in OOXML files, and ensure
+   that subsequent normal files still pass fine (CVE-2014-3574).
+
+Please note: You should use xmlbeans-2.6.jar (as shipped with this release)
+instead of the xmlbeans-2.3.jar version from the 3.10-FINAL release to work
+around CVE-2014-3574. If you have an alternate XML parser like Apache Xerces
+in classpath, be sure to use a recent version! Older versions are likely to
+break on setting required security features.
+
+Thanks to Stefan Kopf, Mike Boufford, and Christian Schneider for reporting
+these issues!
+
+Other notable changes in this release are:
+
+ - For XSLF Pictures, provide a way to get the URI of externally linked pictures
+ - Provide a helpful exception, XLSBUnsupportedException, if XSSFWorkbook is passed a .xlsb file
 
 A full list of changes is available in the change log: http://poi.apache.org/changes.html. 
 People interested should also follow the dev mailing list to track further progress.



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org