Y, that's where I was inclined as well. Thank you, Tilman! I'm starting the release process for 2.9.1.
On Tue, Oct 17, 2023 at 3:20 AM Tilman Hausherr <[email protected]> wrote: > b) because it seems to be the most "security-minded" approach. > > Tilman > > On 16.10.2023 21:59, Tim Allison wrote: > > All, > > > > We detected and fixed an area for improvement in the version of POI > that > > we just upgraded to ( > https://bz.apache.org/bugzilla/show_bug.cgi?id=67767). > > I should have caught this in earlier regression tests before the release > of > > POI, but I clearly botched that comparison run. I'm sorry. > > > > My guess is that the next release of POI with that fix is probably a > week > > or two away. Given the compress cve (CVE-2023-42503), it would be useful > > to push out releases soon. > > > > Some options I see: > > a) wait for POI for both 2.9.1 and 3.0.0-BETA > > b) revert POI for 2.9.1 and start the release process; wait for POI for > > 3.0.0-BETA > > c) revert POI for 3.0.0-BETA and start the release process; wait for POI > > for 2.9.1 > > d) revert POI for 2.9.1 and 3.0.0-BETA and release both > > > > We also have a re-request to fix the tika as service scripts. Not clear > > that I have the knowledge or time to work on that in the near term. > > > > What do you think? > > > > Best, > > > > Tim > > > >
