[CVE-2016-5000] XML External Entity (XXE) Vulnerability in Apache POI's XLSX2CSV Example
CVE-2016-5000: XML External Entity (XXE) Vulnerability in Apache POI's XLSX2CSV Example Severity: Important Vendor: The Apache Software Foundation Versions Affected: POI 3.5-3.13 Description: Apache POI's XLSX2CSV example uses Java's XML components to parse OpenXML files. Applications and users that use XLSX2CSV and accept such files from end-users are vulnerable to XML External Entity (XXE) attacks, which allow remote attackers to bypass security restrictions and read arbitrary files via a crafted OpenXML document that provides an XML external entity declaration in conjunction with an entity reference. Mitigation: Upgrade to 3.14 or higher Credit: This issue was discovered by Mauro Gentile of Minded Security. - To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
[Bug 59738] Excel Files generated using XSSFWorkbook can't be opened using Ms-Excel or OpenOffice
https://bz.apache.org/bugzilla/show_bug.cgi?id=59738 --- Comment #10 from Dominik Stadler--- Created attachment 34061 --> https://bz.apache.org/bugzilla/attachment.cgi?id=34061=edit Difference that causes Excel to report the file as "broken" It seems with Xalan you get some different XML parser as well and this way the namespace handling is broken, see the attached image. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
Re: 3.15 beta 3 soon?
Hi, The first one is fixed, at least in a way that allows to do a release, see https://bz.apache.org/bugzilla/show_bug.cgi?id=59739 The second one should be fixed via r1746858 or r1750034 I will do a re-run of the regression tests as soon as we start release-preparations. This will show if both issues are fixed for good as I usually compare against the last GA release, i.e. 3.14 currently. Dominik. On Fri, Jul 22, 2016 at 3:36 AM, Javen O'Nealwrote: > Have we taken care of these issues preventing Tika from using POI 3.15 beta > 2... > > http://apache-poi.1045710.n5.nabble.com/VOTE-Apache-POI-3-15-beta2-release-RC1-tp5723676p5723705.html > > and "we have finished discussing how it should be done in the long run." > > http://apache-poi.1045710.n5.nabble.com/VOTE-Apache-POI-3-15-beta2-release-RC1-tp5723676p5723705.html > > If not, we can always punt to 3.15 beta 4/final. > > On Jul 21, 2016 4:28 PM, "Nick Burch" wrote: > > > On Fri, 22 Jul 2016, Andreas Beeker wrote: > > > >> When are your current tasks completed (e.g. in-place-writing...)? > >> > > > > In-place write + write-to-File is now done for HSSF + HSLF + HPSF. That's > > probably enough for now. Once we've got some feedback, we can add it to > > HWPF, then decide how to do the same for X??F without breaking too much > > backwards compatibility + solving that "close may change things" > unexpected > > issue > > > > Who will roll the release? As usual, I'll be the fallback (as long as my > >> key is valid ...) > >> > > > > Anyone else want to give the docs a try? :) > > > > Nick > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > >
[Bug 59793] "Rule M2.4 exception : this error should NEVER happen!" error message is still being triggered even with POI v3.14
https://bz.apache.org/bugzilla/show_bug.cgi?id=59793 Dominik Stadlerchanged: What|Removed |Added Status|NEEDINFO|RESOLVED Resolution|--- |WORKSFORME --- Comment #5 from Dominik Stadler --- Please reopen this bug if you can provide some more information here, currently there is not much we can do without the actual file that triggers this. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org