Any other opinions on if and how many CVEs we need to request? We need to.get back to the requestor.
On Sep 20, 2017 1:38 PM, "pj.fanning" <[email protected]> wrote: > Would it be possible to consider moving the H??F code to a separate jar? > That > is, having the shared code in poi.jar but the X??F impls in poi-ooxml.jar > and the H??F impls in poi-legacy.jar (or some better name). > I would assume that a lot of the CVEs would relate to H??F code. > In my team, we only use the XSSF code and our Security team disapprove of > us > using jar versions with any CVEs listed for them. poi-ooxml.jar depends on > poi.jar and any H??F related CVEs would affect the poi.jar as things stand. > > > > -- > Sent from: http://apache-poi.1045710.n5.nabble.com/POI-User-f2280730.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
