b) because it seems to be the most "security-minded" approach.
Tilman On 16.10.2023 21:59, Tim Allison wrote:
All, We detected and fixed an area for improvement in the version of POI that we just upgraded to (https://bz.apache.org/bugzilla/show_bug.cgi?id=67767). I should have caught this in earlier regression tests before the release of POI, but I clearly botched that comparison run. I'm sorry. My guess is that the next release of POI with that fix is probably a week or two away. Given the compress cve (CVE-2023-42503), it would be useful to push out releases soon. Some options I see: a) wait for POI for both 2.9.1 and 3.0.0-BETA b) revert POI for 2.9.1 and start the release process; wait for POI for 3.0.0-BETA c) revert POI for 3.0.0-BETA and start the release process; wait for POI for 2.9.1 d) revert POI for 2.9.1 and 3.0.0-BETA and release both We also have a re-request to fix the tika as service scripts. Not clear that I have the knowledge or time to work on that in the near term. What do you think? Best, Tim
