Hi, We would not usually upgrade POI 4. POI 5 is the maintained version. We will consider patching POI 4, but only in exceptional cases. We would really prefer if you used POI 5.
There are known issues in libs that POI depends on and you should be able, in many cases, to just upgrade the lib that POI depends on in your own build. One example is batik, you can just upgrade your own build to use the latest version of batik. If this does not work for you, get back to us. If the issue is a code issue in POI itself, could you read https://www.apache.org/security/#:~:text=Send%20reports%20of%20vulnerabilities%20in,each%20vulnerability%20you%20are%20reporting. You shouldn't send the details to this email address. You should send them to the security team privately. Regards, PJ On Tuesday 19 October 2021, 10:38:37 IST, 김태은 <aeol...@estsecurity.com> wrote: hi. I'm Tae-eun Kim. I'm Developing using apache poi version 4.1.2. During the security review of the software, it was pointed out that the poi version was not up to date. I wonder if the poi development team will continue to manage security issues in the 4.x version. I plan to upgrade to poi version 5.x in the future, but I have sent an inquiry e-mail because the schedule is currently insufficient. Thanks for reading. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
