Thank you for the ping. I'll respond now, and we can discuss from there. -----Original Message----- From: Javen O'Neal [mailto:[email protected]] Sent: Wednesday, September 27, 2017 11:39 AM To: POI Users List <[email protected]> Subject: Re: RE: [ANNOUNCE] Apache POI 3.17 released
Any other opinions on if and how many CVEs we need to request? We need to.get back to the requestor. On Sep 20, 2017 1:38 PM, "pj.fanning" <[email protected]> wrote: > Would it be possible to consider moving the H??F code to a separate jar? > That > is, having the shared code in poi.jar but the X??F impls in > poi-ooxml.jar and the H??F impls in poi-legacy.jar (or some better name). > I would assume that a lot of the CVEs would relate to H??F code. > In my team, we only use the XSSF code and our Security team disapprove > of us using jar versions with any CVEs listed for them. poi-ooxml.jar > depends on poi.jar and any H??F related CVEs would affect the poi.jar > as things stand. > > > > -- > Sent from: > http://apache-poi.1045710.n5.nabble.com/POI-User-f2280730.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] For additional > commands, e-mail: [email protected] > >
