Bug 215481

Summary: textproc/apache-poi update to version 3.15
Product: Ports & Packages Reporter: Pedro F. Giffuni <pfg>
Component: Individual Port(s)Assignee: Bartek Rutkowski <robak>
Status: Closed FIXED    
Severity: Affects Only Me CC: robak
Priority: --- Keywords: patch, security
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Update to version 3.15 none

Description Pedro F. Giffuni freebsd_committer freebsd_triage 2016-12-21 23:48:46 UTC 
Created attachment 178189 [details]
Update to version 3.15

The most notable changes in this release are:

 - Various improvements to HSSF and XSSF.
 - XSSF performance improvements for large numbers of named ranges.
 - Progress towards enums rather than ints for various types
   (no breaking changes at this stage)
 - CellStyle#BORDER_HAIR and #BORDER_DOTTED were swapped to correctly
   reflect the official names and to be consistent with BorderStyle enum.
   HAIR has smaller dots than DOTTED.
 - Removal of deprecated classes and methods detailed on
   https://bz.apache.org/bugzilla/show_bug.cgi?id=59170
Comment 1 commit-hook freebsd_committer freebsd_triage 2017-03-28 17:38:01 UTC 
A commit references this bug:

Author: robak
Date: Tue Mar 28 17:36:53 UTC 2017
New revision: 437143
URL: https://svnweb.freebsd.org/changeset/ports/437143

Log:
  textproc/apache-poi: update 3.14 -> 3.15

  PR:		215481
  Submitted by:	pfg

Changes:
  head/textproc/apache-poi/Makefile
  head/textproc/apache-poi/distinfo
Comment 2 Bartek Rutkowski freebsd_committer freebsd_triage 2017-03-28 17:38:50 UTC 
Committed, thanks!
Comment 3 Pedro F. Giffuni freebsd_committer freebsd_triage 2017-03-28 20:13:24 UTC 
For the record ... The Apache software Foundation has issued:

CVE-2017-5644 - Possible DOS (Denial of Service) in Apache POI versions prior to 3.15.
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. Users with applications which accept content from external or untrusted sources are advised to upgrade to Apache POI 3.15 or newer.

We are safe now, but maybe a vuxml entry is pertinent.