Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via or IRC
Bug 522144 (CVE-2014-3529) - dev-java/poi: two vulnerabilities (CVE-2014-3529)
Summary: dev-java/poi: two vulnerabilities (CVE-2014-3529)
Alias: CVE-2014-3529
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on: 402757
  Show dependency tree
Reported: 2014-09-04 10:43 UTC by Agostino Sarubbo
Modified: 2015-12-19 12:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-09-04 10:43:13 UTC
From ${URL} :

The Apache POI project is pleased to announce the release of POI 3.10.1-20140818. 
This release is a bugfix release to fix two security issues with OOXML.

See the downloads page for binary and source distributions:

Release Notes 

The most notable changes in this release are:

This release is a bugfix release to fix two security issues with OOXML:
 - Tidy up the OPC SAX setup code with a new common Helper, preventing
   external entity expansion (CVE-2014-3529).
 - On supported XML parser versions (Xerces or JVM built-in, XMLBeans 2.6),
   enforce sensible limits on entity expansion in OOXML files, and ensure
   that subsequent normal files still pass fine (CVE-2014-3574).

Please note: You should use xmlbeans-2.6.jar (as shipped with this release)
instead of the xmlbeans-2.3.jar version from the 3.10-FINAL release to work
around CVE-2014-3574. If you have an alternate XML parser like Apache Xerces
in classpath, be sure to use a recent version! Older versions are likely to
break on setting required security features.

Thanks to Stefan Kopf, Mike Boufford, Mohamed Ramadan, and Christian Schneider
for reporting these issues!

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrice Clement gentoo-dev 2015-11-12 16:55:14 UTC
Package masked for removal. We will close this bug after the removal.
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2015-12-10 13:35:02 UTC
GLSA Vote: No
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-11 04:49:09 UTC
GLSA Vote: No

Setting as cleanup, until package is removed for tracking purposes only.
Comment 4 Patrice Clement gentoo-dev 2015-12-11 10:23:49 UTC
Package has already been removed. See bug 402757.