Author: centic
Date: Sat Dec 18 11:29:24 2021
New Revision: 1896124
URL: http://svn.apache.org/viewvc?rev=1896124&view=rev
Log:
Add news-item about the Log4j vulnerabilities
Modified:
poi/site/publish/changes.html
poi/site/publish/index.html
poi/site/src/documentation/content/xdocs/index.xml
Modified: poi/site/publish/changes.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/changes.html?rev=1896124&r1=1896123&r2=1896124&view=diff
==============================================================================
--- poi/site/publish/changes.html (original)
+++ poi/site/publish/changes.html Sat Dec 18 11:29:24 2021
@@ -223,7 +223,7 @@ document.write("Last Published: " + docu
<li>Refactor to XSSF CommentsTable to make it more extensible</li>
-<li>Upgrade Log4J dependency to 2.16.0</li>
+<li>Upgrade Log4J dependency to 2.17.0</li>
<li>Upgrade BouncyCastle dependency to 1.70</li>
Modified: poi/site/publish/index.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/index.html?rev=1896124&r1=1896123&r2=1896124&view=diff
==============================================================================
--- poi/site/publish/index.html (original)
+++ poi/site/publish/index.html Sat Dec 18 11:29:24 2021
@@ -179,6 +179,15 @@ document.write("Last Published: " + docu
<a name="Project+News"></a>
<h2 class="boxed">Project News</h2>
<div class="section">
+<a
name="10%2B16%2B18+December+2021-+Log4j+vulnerabilities+CVE-2021-44228%2C+CVE-2021-45046+and+CVE-2021-45105"></a>
+<h3 class="boxed">10+16+18 December 2021- Log4j vulnerabilities
CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105</h3>
+<p>The Apache POI PMC has evaluated the security vulnerabilities reported
+ for Apache Log4j.</p>
+<p>POI 5.1.0 and XMLBeans 5.0.2 (the latest releases of both) have only
dependencies on log4j-api 2.14.1.
+ The security vulnerabilities are not in log4j-api - they are in
log4j-core.</p>
+<p>If any POI or XMLBeans user uses log4j-core to control their logging of
their application,
+ we strongly recommend that they upgrade all their log4j
dependencies to the latest
+ version (currently v2.17.0) - including log4j-api.</p>
<a name="1+November+2021+-+POI+5.1.0+available"></a>
<h3 class="boxed">1 November 2021 - POI 5.1.0 available</h3>
<p>The Apache POI team is pleased to announce the release of 5.1.0.
Modified: poi/site/src/documentation/content/xdocs/index.xml
URL:
http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/index.xml?rev=1896124&r1=1896123&r2=1896124&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/index.xml (original)
+++ poi/site/src/documentation/content/xdocs/index.xml Sat Dec 18 11:29:24 2021
@@ -26,6 +26,15 @@
<body>
<section><title>Project News</title>
+ <section><title>10+16+18 December 2021- Log4j vulnerabilities
CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105</title>
+ <p>The Apache POI PMC has evaluated the security vulnerabilities
reported
+ for Apache Log4j.</p>
+ <p>POI 5.1.0 and XMLBeans 5.0.2 (the latest releases of both) have
only dependencies on log4j-api 2.14.1.
+ The security vulnerabilities are not in log4j-api - they are in
log4j-core.</p>
+ <p>If any POI or XMLBeans user uses log4j-core to control their
logging of their application,
+ we strongly recommend that they upgrade all their log4j
dependencies to the latest
+ version (currently v2.17.0) - including log4j-api.</p>
+ </section>
<!-- latest final release -->
<section><title>1 November 2021 - POI 5.1.0 available</title>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
