Hi all, I have posted a release candidate for the Apache OpenNLP 1.9.5 release and it is ready for testing.
This is a maintenance release of the 1.9.x line, addressing several security vulnerabilities (CVEs) that affect Apache Lucene 8.x and downstream Solr 8.x which depend on OpenNLP 1.9.x: - OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil helper - OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes - OPENNLP-1821: Prevent OutOfMemory due to huge array allocation - OPENNLP-1826: Fix for XML parser security options - OPENNLP-1835: Tolerate unsupported XML parser security options Thank you to everyone who contributed to this release, including all of our users and the people who submitted bug reports, contributed code or documentation enhancements. The release was made using the OpenNLP release process, documented on the website: https://opennlp.apache.org/release.html Maven Repo: https://repository.apache.org/content/repositories/orgapacheopennlp-1067 <repositories> <repository> <id>opennlp-1.9.5-rc1</id> <name>Testing OpenNLP 1.9.5 release candidate</name> <url> https://repository.apache.org/content/repositories/orgapacheopennlp-1067 </url> </repository> </repositories> Binaries & Source: https://dist.apache.org/repos/dist/dev/opennlp/opennlp-1.9.5 Tag: https://github.com/apache/opennlp/releases/tag/opennlp-1.9.5 Tag Hash: 558f83bd89ec0f324fd6331067a093ce2ae58d1c Release notes: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12355022 Reminder: The up-to-date KEYS file for signature verification can be found here: https://dist.apache.org/repos/dist/release/opennlp/KEYS Checklist for reference: [ ] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are present, along with .asc and .sha512 files for each. [ ] PGP signatures are valid for the release artifacts using the KEYS file from dist.apache.org [ ] SHA512 checksums are correct and verified. [ ] LICENSE and NOTICE files exist and are accurate. [ ] No unexpected binary files in the source release. [ ] All source files have appropriate ASF headers (excluding generated files and legacy files). [ ] Build completes successfully from source and the instruction to do so are clear. Please vote on releasing these packages as Apache OpenNLP 1.9.5. The vote is open for at least the next 72 hours. Only votes from OpenNLP PMC are binding, but everyone is welcome to check the release candidate and vote. The vote passes if at least three binding +1 votes are cast. Please VOTE [+1] go ship it [+0] meh, don't care [-1] stop, there is a ${showstopper} Thanks! Atita
