Bug 215481 - textproc/apache-poi update to version 3.15
Summary: textproc/apache-poi update to version 3.15
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Bartek Rutkowski
Keywords: patch, security
Depends on:
Reported: 2016-12-21 23:48 UTC by Pedro F. Giffuni
Modified: 2017-03-28 20:13 UTC (History)
1 user (show)

See Also:

Update to version 3.15 (1.99 KB, patch)
2016-12-21 23:48 UTC, Pedro F. Giffuni
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Pedro F. Giffuni freebsd_committer 2016-12-21 23:48:46 UTC
Created attachment 178189 [details]
Update to version 3.15

The most notable changes in this release are:

 - Various improvements to HSSF and XSSF.
 - XSSF performance improvements for large numbers of named ranges.
 - Progress towards enums rather than ints for various types
   (no breaking changes at this stage)
 - CellStyle#BORDER_HAIR and #BORDER_DOTTED were swapped to correctly
   reflect the official names and to be consistent with BorderStyle enum.
   HAIR has smaller dots than DOTTED.
 - Removal of deprecated classes and methods detailed on
Comment 1 commit-hook freebsd_committer 2017-03-28 17:38:01 UTC
A commit references this bug:

Author: robak
Date: Tue Mar 28 17:36:53 UTC 2017
New revision: 437143
URL: https://svnweb.freebsd.org/changeset/ports/437143

  textproc/apache-poi: update 3.14 -> 3.15

  PR:		215481
  Submitted by:	pfg

Comment 2 Bartek Rutkowski freebsd_committer 2017-03-28 17:38:50 UTC
Committed, thanks!
Comment 3 Pedro F. Giffuni freebsd_committer 2017-03-28 20:13:24 UTC
For the record ... The Apache software Foundation has issued:

CVE-2017-5644 - Possible DOS (Denial of Service) in Apache POI versions prior to 3.15.
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. Users with applications which accept content from external or untrusted sources are advised to upgrade to Apache POI 3.15 or newer.

We are safe now, but maybe a vuxml entry is pertinent.