Menu

#205 Update poi-ooxml to v3.1.6 to address CVE-2017-5644

2.6.0
closed-accepted
Jeff Jensen
None
5
2018-11-14
2017-08-04
Mark Symons
No

dbunuit v2.5.3 has dependencies:

  • org.apache.poi:poi v3.14 (optional)
  • org.apache.poi: poi-ooxml v3.1.4

Update to v3.1.6 to address CVE-2017-5644... although v3.1.5 would also address the threat:

Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

Discussion

  • Jeff Jensen

    Jeff Jensen - 2017-09-30

    Ticket moved from /p/dbunit/bugs/402/

    Can't be converted:

    • _fixed_release: (not fixed)
    • _milestone: v2.5.*
     

  • Jeff Jensen

    Jeff Jensen - 2017-09-30
    • status: open --> closed-accepted
    • assigned_to: Jeff Jensen
    • Release: v2.5.* --> 2.5.5
     

  • Mark Symons

    Mark Symons - 2018-11-14

    When it comes to release notes, the fix to this issue used org.apache.poi: poi-ooxml v3.1.7.

    As it happens, this has the happy outcome of also addresing a separate(newer) threat CVE-2017-12626 that was first published 01/29/2018.

     

Log in to post a comment.