All,
Thank you for this release! I'm sorry that I was mostly AWOL.
Andi,
Thank you for running this release!
Cheers,
Tim
On Sun, Oct 20, 2019 at 3:52 PM Andreas Beeker <kiwiwi...@apache.org> wrote:
> The Apache POI project is pleased to announce the release of POI 4.1.1.
> Featured are a handful of new areas of functionality, and numerous bug
> fixes.
>
> See the downloads page for binary and source distributions:
> https://poi.apache.org/download.html
>
> Release Notes
>
> Changes
> ------------
> The most notable changes in this release are:
>
> - XSSF: Memory improvements which use much less memory while writing large
> xlsx files
> - XDDF: Improved chart support: more types and some API changes around
> angles and width units
> - updated dependencies to Bouncycastle 1.62, Commons-Codec 1.13,
> Commons-Collections4 4.4, Commons-Compress 1.19
> - XWPF: Additional API methods
> - XSSF: Fixes to XSSFSheet.addMergedRegion() and XSSFRow.shiftRows()
> - EMF/HSLF: Rendering fixes
> - CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI
>
> A full list of changes is available in the change log:
> https://poi.apache.org/changes.html.
> People interested should also follow the dev mailing list to track further
> progress.
>
>
> CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI
> -------------------------------------------------------------------
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache POI up to version 4.1.0
>
> Description:
> When using the tool XSSFExportToXml to convert user-provided Microsoft
> Excel documents, a specially crafted document can allow an attacker to
> read files from the local filesystem or from internal network resources
> via XML External Entity (XXE) Processing.
>
> Mitigation:
> Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml
> are not affected. affected users are advised to update to Apache POI 4.1.1
> which fixes this vulnerability.
>
> Credit:
> This issue was discovered by Artem Smotrakov from SAP
>
> References:
> https://en.wikipedia.org/wiki/XML_external_entity_attack
>
>
>
> Release Contents
> ----------------
>
> This release comes in two forms:
> - pre-built binaries containing compiled versions of all Apache POI
> components and documentation
> (poi-bin-4.1.1-20191023.zip or poi-bin-4.1.1-20191023.tar.gz)
> - source archive you can build POI from (poi-src-4.1.1-20191023.zip or
> poi-src-4.1.1-20191023.tar.gz)
> Unpack the archive and use the following command to build all POI
> components with Apache Ant 1.8+ and JDK 1.8 or higher:
>
> ant jar
>
> Pre-built versions of all POI components are also available in the
> central Maven repository
> under Group ID "org.apache.poi" and Version "4.1.1"
>
> All release artifacts are accompanied by MD5 checksums and PGP signatures
> that you can use to verify the authenticity of your download.
> The public key used for the PGP signature can be found at
> https://svn.apache.org/repos/asf/poi/tags/REL_4_1_1/KEYS
>
> About Apache POI
> -----------------------
>
> Apache POI is well-known in the Java field as a library for reading and
> writing Microsoft Office file formats, such as Excel, PowerPoint, Word,
> Visio, Publisher and Outlook. It supports both the older (OLE2) and
> new (OOXML - Office Open XML) formats.
>
> See https://poi.apache.org/ for more details
>
>
>
> Thanks to all our contributors for making this release possible.
>
> On behalf of the Apache POI PMC,
> Andi
>
>
>
