The new version of POI is out (many thanks to PJ Fanning and the POI devs!). PDFBox 3.0.1 is under vote and will likely be released by the end of the week. Should we aim for a 3.0.0-BETA next week?
On Tue, Oct 17, 2023 at 6:16 AM Tim Allison <[email protected]> wrote: > Y, that's where I was inclined as well. Thank you, Tilman! > > I'm starting the release process for 2.9.1. > > On Tue, Oct 17, 2023 at 3:20 AM Tilman Hausherr <[email protected]> > wrote: > >> b) because it seems to be the most "security-minded" approach. >> >> Tilman >> >> On 16.10.2023 21:59, Tim Allison wrote: >> > All, >> > >> > We detected and fixed an area for improvement in the version of POI >> that >> > we just upgraded to ( >> https://bz.apache.org/bugzilla/show_bug.cgi?id=67767). >> > I should have caught this in earlier regression tests before the >> release of >> > POI, but I clearly botched that comparison run. I'm sorry. >> > >> > My guess is that the next release of POI with that fix is probably a >> week >> > or two away. Given the compress cve (CVE-2023-42503), it would be >> useful >> > to push out releases soon. >> > >> > Some options I see: >> > a) wait for POI for both 2.9.1 and 3.0.0-BETA >> > b) revert POI for 2.9.1 and start the release process; wait for POI for >> > 3.0.0-BETA >> > c) revert POI for 3.0.0-BETA and start the release process; wait for POI >> > for 2.9.1 >> > d) revert POI for 2.9.1 and 3.0.0-BETA and release both >> > >> > We also have a re-request to fix the tika as service scripts. Not clear >> > that I have the knowledge or time to work on that in the near term. >> > >> > What do you think? >> > >> > Best, >> > >> > Tim >> > >> >>
