search

concordion / concordion-excel-extension

Allows Concordion specifications to be in Excel format rather than HTML
Other
9 stars 12 forks source link

Apache POI vulnerability #14

Closed dschwalm closed 5 years ago

dschwalm commented 5 years ago

Hi,

As all Apache POI versions prior to 3.15 contains a serious vulnerability, the POI should be upgraded to at least 3.15, but preferably to 3.17.

https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-22766/Apache-POI.html

3.17 POI contains breaking changes though, getBoldweight() method has been removed from org.apache.poi.ss.usermodel.Font.

Any plans to do the upgrade?

PRs are welcome?

Thanks, Daniel

robmoffat commented 5 years ago

A PR would be very welcome!

On 30 Aug 2019, at 07:22, dschwalm notifications@github.com wrote:

Hi,

As all Apache POI versions prior to 3.15 contains a serious vulnerability, the POI should be upgraded to at least 3.15, but preferably to 3.17.

https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-22766/Apache-POI.html https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-22766/Apache-POI.html 3.17 POI contains breaking changes though, getBoldweight() method has been removed from org.apache.poi.ss.usermodel.Font.

Any plans to do the upgrade?

PRs are welcome?

Thanks, Daniel

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/concordion/concordion-excel-extension/issues/14?email_source=notifications&email_token=AAEK2YJCUIE6QQOXAB2HK7LQHC4EHA5CNFSM4ISJWYR2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HILX3YQ, or mute the thread https://github.com/notifications/unsubscribe-auth/AAEK2YNV67TS636CUUQNAVLQHC4EHANCNFSM4ISJWYRQ.

wilczelyko commented 5 years ago

I have just created pull request with POI upgrade

dschwalm commented 5 years ago

I just waited because of the tests failed and did not have time to figure out how to fix them. I see that you did not update the tests neither, correct?

wilczelyko commented 5 years ago

Nope, I haven't. Tests fails in my machine because of locale - comma or dot as floating separator. Is that what you mean? Adam

W 16 września 2019 14:28:12 dschwalm notifications@github.com napisał:

I just waited because of the tests failed and did not have time to figure out how to fix them. I see that you did not update the tests neither, correct? — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

dschwalm commented 5 years ago

Yes, that is what I mean. I am not sure whether the test results should depend on the locale of the machine executes the tests. My gut feeling is no. But for changing that we may need to review these tests carefully.

robmoffat commented 5 years ago

Fixed by @dschwalm with https://github.com/concordion/concordion-excel-extension/pull/17

robmoffat commented 5 years ago

Version 2.1.2 now available on maven central