Summary: | textproc/apache-poi update to version 3.15 | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Pedro F. Giffuni <pfg> | ||||
Component: | Individual Port(s) | Assignee: | Bartek Rutkowski <robak> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Only Me | CC: | robak | ||||
Priority: | --- | Keywords: | patch, security | ||||
Version: | Latest | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Description
Pedro F. Giffuni
2016-12-21 23:48:46 UTC
A commit references this bug: Author: robak Date: Tue Mar 28 17:36:53 UTC 2017 New revision: 437143 URL: https://svnweb.freebsd.org/changeset/ports/437143 Log: textproc/apache-poi: update 3.14 -> 3.15 PR: 215481 Submitted by: pfg Changes: head/textproc/apache-poi/Makefile head/textproc/apache-poi/distinfo Committed, thanks! For the record ... The Apache software Foundation has issued: CVE-2017-5644 - Possible DOS (Denial of Service) in Apache POI versions prior to 3.15. Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. Users with applications which accept content from external or untrusted sources are advised to upgrade to Apache POI 3.15 or newer. We are safe now, but maybe a vuxml entry is pertinent. |