Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 522144 (CVE-2014-3529)

Summary: dev-java/poi: two vulnerabilities (CVE-2014-3529)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 402757    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2014-09-04 10:43:13 UTC
From ${URL} :

The Apache POI project is pleased to announce the release of POI 3.10.1-20140818. 
This release is a bugfix release to fix two security issues with OOXML.

See the downloads page for binary and source distributions: http://poi.apache.org/download.html

Release Notes 

Changes
------------
The most notable changes in this release are:

This release is a bugfix release to fix two security issues with OOXML:
 - Tidy up the OPC SAX setup code with a new common Helper, preventing
   external entity expansion (CVE-2014-3529).
 - On supported XML parser versions (Xerces or JVM built-in, XMLBeans 2.6),
   enforce sensible limits on entity expansion in OOXML files, and ensure
   that subsequent normal files still pass fine (CVE-2014-3574).

Please note: You should use xmlbeans-2.6.jar (as shipped with this release)
instead of the xmlbeans-2.3.jar version from the 3.10-FINAL release to work
around CVE-2014-3574. If you have an alternate XML parser like Apache Xerces
in classpath, be sure to use a recent version! Older versions are likely to
break on setting required security features.

Thanks to Stefan Kopf, Mike Boufford, Mohamed Ramadan, and Christian Schneider
for reporting these issues!



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrice Clement gentoo-dev 2015-11-12 16:55:14 UTC
Package masked for removal. We will close this bug after the removal.
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2015-12-10 13:35:02 UTC
GLSA Vote: No
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-11 04:49:09 UTC
GLSA Vote: No

Setting as cleanup, until package is removed for tracking purposes only.
Comment 4 Patrice Clement gentoo-dev 2015-12-11 10:23:49 UTC
Package has already been removed. See bug 402757.