Author: centic
Date: Tue Apr 15 13:04:10 2025
New Revision: 1925094
URL: http://svn.apache.org/viewvc?rev=1925094&view=rev
Log:
Add published CVE-2025-31672 to project news
Modified:
poi/site/publish/index.html
poi/site/src/documentation/content/xdocs/index.xml
Modified: poi/site/publish/index.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/index.html?rev=1925094&r1=1925093&r2=1925094&view=diff
==============================================================================
--- poi/site/publish/index.html (original)
+++ poi/site/publish/index.html Tue Apr 15 13:04:10 2025
@@ -185,6 +185,36 @@ document.write("Last Published: " + docu
<a name="Project+News"></a>
<h2 class="boxed">Project News</h2>
<div class="section">
+<a
name="8+April+2025+-+CVE-2025-31672+-+Improper+Input+Validation+vulnerability+in+Apache+POI+before+5.4.0"></a>
+<h3 class="boxed">8 April 2025 - CVE-2025-31672 - Improper Input Validation
vulnerability in Apache POI before 5.4.0</h3>
+<p>
+ While parsing of OOXML format files like xlsx, docx and pptx, a
specially crafted file could
+ be used to provide multiple entries with the same name in the
zip-compressed file-format.
+ <br>
+ Products reading the affected file could read different data because
one of the zip entries with the
+ duplicate name is selected over another by different products
differently.<br>
+<br>
+ This issue affects Apache POI component poi-ooxml before 5.4.0.
Starting with 5.4.0 poi-ooxml performs
+ a check that throws an exception if zip entries with duplicate file
names are found in the input file.<br>
+<br>
+ Users are recommended to upgrade to version poi-ooxml 5.4.0 or
later, which fixes the issue.
+ Please refer to our <a
href="https://poi.apache.org/security.html";>security guidelines</a>
+ for recommendations about how to use the POI libraries securely.
+ </p>
+<p>
+ References:
+ </p>
+<ul>
+
+<li>
+<a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=69620";>Bug 69620</a>
+</li>
+
+<li>
+<a href="https://www.cve.org/CVERecord?id=CVE-2025-31672";>CVE-2025-31672</a>
+</li>
+
+</ul>
<a name="6+April+2025+-+POI+5.4.1+available"></a>
<h3 class="boxed">6 April 2025 - POI 5.4.1 available</h3>
<p>The Apache POI team is pleased to announce the release of 5.4.1.
Modified: poi/site/src/documentation/content/xdocs/index.xml
URL:
http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/index.xml?rev=1925094&r1=1925093&r2=1925094&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/index.xml (original)
+++ poi/site/src/documentation/content/xdocs/index.xml Tue Apr 15 13:04:10 2025
@@ -27,6 +27,28 @@
<body>
<section><title>Project News</title>
+ <section><title>8 April 2025 - CVE-2025-31672 - Improper Input
Validation vulnerability in Apache POI before 5.4.0</title>
+ <p>
+ While parsing of OOXML format files like xlsx, docx and pptx, a
specially crafted file could
+ be used to provide multiple entries with the same name in the
zip-compressed file-format.
+ <br/>
+ Products reading the affected file could read different data because
one of the zip entries with the
+ duplicate name is selected over another by different products
differently.<br/><br/>
+ This issue affects Apache POI component poi-ooxml before 5.4.0.
Starting with 5.4.0 poi-ooxml performs
+ a check that throws an exception if zip entries with duplicate file
names are found in the input file.<br/><br/>
+ Users are recommended to upgrade to version poi-ooxml 5.4.0 or
later, which fixes the issue.
+ Please refer to our <a
href="https://poi.apache.org/security.html";>security guidelines</a>
+ for recommendations about how to use the POI libraries securely.
+ </p>
+ <p>
+ References:
+ </p>
+ <ul>
+ <li><a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=69620";>Bug 69620</a></li>
+ <li><a
href="https://www.cve.org/CVERecord?id=CVE-2025-31672";>CVE-2025-31672</a></li>
+ </ul>
+ </section>
+
<!-- latest final release -->
<section><title>6 April 2025 - POI 5.4.1 available</title>
<p>The Apache POI team is pleased to announce the release of 5.4.1.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
