From ${URL} : The Apache POI project is pleased to announce the release of POI 3.10.1-20140818. This release is a bugfix release to fix two security issues with OOXML. See the downloads page for binary and source distributions: http://poi.apache.org/download.html Release Notes Changes ------------ The most notable changes in this release are: This release is a bugfix release to fix two security issues with OOXML: - Tidy up the OPC SAX setup code with a new common Helper, preventing external entity expansion (CVE-2014-3529). - On supported XML parser versions (Xerces or JVM built-in, XMLBeans 2.6), enforce sensible limits on entity expansion in OOXML files, and ensure that subsequent normal files still pass fine (CVE-2014-3574). Please note: You should use xmlbeans-2.6.jar (as shipped with this release) instead of the xmlbeans-2.3.jar version from the 3.10-FINAL release to work around CVE-2014-3574. If you have an alternate XML parser like Apache Xerces in classpath, be sure to use a recent version! Older versions are likely to break on setting required security features. Thanks to Stefan Kopf, Mike Boufford, Mohamed Ramadan, and Christian Schneider for reporting these issues! @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Package masked for removal. We will close this bug after the removal.
GLSA Vote: No
GLSA Vote: No Setting as cleanup, until package is removed for tracking purposes only.
Package has already been removed. See bug 402757.