[ 
https://issues.apache.org/jira/browse/NIFI-4821?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16397722#comment-16397722
 ] 

ASF GitHub Bot commented on NIFI-4821:
--------------------------------------

Github user pvillard31 commented on the issue:

    https://github.com/apache/nifi/pull/2534
  
    Checked the dependency tree using maven, looked at the differences between 
3.16 and 3.17 in terms of dependencies, read the release note and change log 
between the two versions to ensure we're not missing anything. +1, it LGTM, 
merging to master. Thanks @jomach 


> Upgrade to Apache POI 3.16 or newer
> -----------------------------------
>
>                 Key: NIFI-4821
>                 URL: https://issues.apache.org/jira/browse/NIFI-4821
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>            Reporter: Joseph Witt
>            Assignee: Joseph Witt
>            Priority: Major
>             Fix For: 1.6.0
>
>
> CVE-2017-12626 was announced today with the text:
>  
> Title: CVE-2017-12626 – Denial of Service Vulnerabilities in Apache POI < 3.17
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions affected: versions prior to version 3.17
> Description:   
>     Apache POI versions prior to release 3.17 are vulnerable to Denial of 
> Service Attacks:
>     * Infinite Loops while parsing specially crafted WMF, EMF, MSG and macros
>           (POI bugs 61338 [0] and 61294 [1])
>     * Out of Memory Exceptions while parsing specially crafted DOC, PPT and 
> XLS 
>           (POI bugs 52372 [2] and 61295 [3])
> Mitigation:  Users with applications which accept content from external or 
> untrusted sources are advised to upgrade to Apache POI 3.17 or newer.
> -Tim Allison
> on behalf of the Apache POI PMC
>  
> [0] [https://bz.apache.org/bugzilla/show_bug.cgi?id=61338]
> [1] [https://bz.apache.org/bugzilla/show_bug.cgi?id=61294]
> [2] [https://bz.apache.org/bugzilla/show_bug.cgi?id=52372]
> [3] [https://bz.apache.org/bugzilla/show_bug.cgi?id=61295]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to