David,
Thank you for raising this issue. If fellow devs are +1, I can fill out the
paper work. Single CVE or multiple?
Best,
Tim
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, September 18, 2017 12:40 PM
To: [email protected]
Subject: Re: [ANNOUNCE] Apache POI 3.17 released
On 2017-09-16 18:06, Andreas Beeker <[email protected]> wrote:
> The Apache POI project is pleased to announce the release of POI 3.17.
> Featured are a handful of new areas of functionality, and numerous bug fixes.
> Changes
> ------------
> The most notable changes in this release are:
>
> - Various modules: add sanity checks and fix infinite loops / OOMs
> caused by fuzzed data
I've looked through the specific changes and several appear to be
vulnerabilities (e.g. 61294 and 61300 among others). Is the POI project
planning to get CVEs for these issues? If not, I'm happy to get them myself.
It makes the world a better place :-)
Thanks,
David
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected] For additional
commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
