CVE-2019-12415

[vemv]

Hi there,

using [dk.ative/docjure "1.12.0"] will bring in CVE-2019-12415, as lein-nvd would indicate.

That is fixed with [org.apache.poi/poi "4.1.1"], but one cannot pull that change without incurring into https://github.com/mjul/docjure/issues/82, so https://github.com/mjul/docjure/pull/81 would be a great start.

cc/ @manuelherzog

[mjul]

Thanks for this, if you would submit a PR for upgrading to the latest POI version it would be great. Don't forget to add your name to the list of contributors in the README.md

Also, if you could add lein-nvd to the project.clj it would be great, even more so if you also add it to the Travis CI.

[vemv]

Hi! Thanks for the response. Happy to see https://github.com/mjul/docjure/pull/81 merged.

Currently I cannot offer OSS contributions due to IP concerns.

[mjul]

No worries. Thank you for taking time to report the issue and mentioning the to me unknown lein nvd check.

[Jarzka]

What is the status of this issue & PR?

[vemv]

I verified just now and checked that upgrading to [org.apache.poi/poi "4.1.1"] would not break the test suite. https://github.com/mjul/docjure/pull/86 was left open because it touches more aspects.

I'd suggest creating that thinner PR.

In the meantime, if feeling adventurous I think you can just bump poi from the given consumer project!

[Jarzka]

Here it is: https://github.com/mjul/docjure/pull/94

[Jarzka]

Can someone please merge the PR?

[Jarzka]

Anyone?

[mjul]

Closing this as fixed. Docjure version 1.18.0 uses the much newer POI version 5.2.2.