+1, two CVE's. On Sep 19, 2017 05:00, "Allison, Timothy B." <[email protected]> wrote:
> Resending with proper cc. Thank you, Nick! > > -----Original Message----- > From: Allison, Timothy B. > Sent: Tuesday, September 19, 2017 7:57 AM > To: [email protected] > Subject: RE: [ANNOUNCE] Apache POI 3.17 released > > David, > Thank you for raising this issue. If fellow devs are +1, I can fill out > the paper work. Single CVE or multiple? > > Best, > > Tim > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Monday, September 18, 2017 12:40 PM > To: [email protected] > Subject: Re: [ANNOUNCE] Apache POI 3.17 released > > On 2017-09-16 18:06, Andreas Beeker <[email protected]> wrote: > > The Apache POI project is pleased to announce the release of POI 3.17. > > Featured are a handful of new areas of functionality, and numerous bug > fixes. > > Changes > > ------------ > > The most notable changes in this release are: > > > > - Various modules: add sanity checks and fix infinite loops / OOMs > > caused by fuzzed data > > I've looked through the specific changes and several appear to be > vulnerabilities (e.g. 61294 and 61300 among others). Is the POI project > planning to get CVEs for these issues? If not, I'm happy to get them > myself. It makes the world a better place :-) > > > Thanks, > > David > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] For additional > commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
