Hi all,

I have posted a release candidate for the Apache OpenNLP 1.9.5 release and
it is ready for testing.

This is a maintenance release of the 1.9.x line, addressing several
security vulnerabilities (CVEs) that affect Apache Lucene 8.x and
downstream Solr 8.x which depend on OpenNLP 1.9.x:

- OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil
helper
- OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes
- OPENNLP-1821: Prevent OutOfMemory due to huge array allocation
- OPENNLP-1826: Fix for XML parser security options
- OPENNLP-1835: Tolerate unsupported XML parser security options

Thank you to everyone who contributed to this release, including all of our
users and the people who submitted bug reports, contributed code or
documentation enhancements.

The release was made using the OpenNLP release process, documented on the
website:
https://opennlp.apache.org/release.html

Maven Repo:
https://repository.apache.org/content/repositories/orgapacheopennlp-1067

<repositories>
  <repository>
    <id>opennlp-1.9.5-rc1</id>
    <name>Testing OpenNLP 1.9.5 release candidate</name>
    <url>
https://repository.apache.org/content/repositories/orgapacheopennlp-1067
</url>
  </repository>
</repositories>

Binaries & Source:
https://dist.apache.org/repos/dist/dev/opennlp/opennlp-1.9.5

Tag:
https://github.com/apache/opennlp/releases/tag/opennlp-1.9.5

Tag Hash: 558f83bd89ec0f324fd6331067a093ce2ae58d1c

Release notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12355022

Reminder: The up-to-date KEYS file for signature verification can be
found here: https://dist.apache.org/repos/dist/release/opennlp/KEYS

Checklist for reference:

[ ] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are present,
along with .asc and .sha512 files for each.
[ ] PGP signatures are valid for the release artifacts using the KEYS file
from dist.apache.org
[ ] SHA512 checksums are correct and verified.
[ ] LICENSE and NOTICE files exist and are accurate.
[ ] No unexpected binary files in the source release.
[ ] All source files have appropriate ASF headers (excluding generated
files and legacy files).
[ ] Build completes successfully from source and the instruction to do so
are clear.

Please vote on releasing these packages as Apache OpenNLP 1.9.5. The
vote is open for at least the next 72 hours.

Only votes from OpenNLP PMC are binding, but everyone is welcome to
check the release candidate and vote.
The vote passes if at least three binding +1 votes are cast.

Please VOTE

[+1] go ship it
[+0] meh, don't care
[-1] stop, there is a ${showstopper}

Thanks!

Atita

Reply via email to