-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
POI vulnerabilities #642
Comments
Ooh! That is great. I was looking at upgrading this the other day and also noticed that the API was changed. Thanks for taking this on. |
I was able to get this to work for my client in 4.8 but I didn't use Maven. I just let eclipse auto-build the classes and copied them into the birt runtime jar and it worked, but in 4.9 I need to use Maven. I have zero experience with using maven for building things that require eclipse plugins. I can see that the 3.9 poi jars are getting put into a variety of lib and plugins folders all of which are inside target folders, so maven is putting them there but I don't know how it knows to do that. I need to switch 3.9 to 4.1.1 and add 3 other plugins from orbit. I've found a couple of files by search for /poi.*3.9/ but modifying them hasn't done anything except cause errors. Maybe it's using a target platform but I can't figure out how. Can anyone give me any guidance? |
You can just update the .target file. It is located in the org.eclipse.build.target bundle in the build folder. https://github.com/eclipse/birt/tree/master/build/org.eclipse.birt.target Let me know if you need help. |
I see a file named org.eclipse.birt.target.target and it contains these lines:
How does it know those are currently 3.9 and how can I change to 4.1.1? Update: I see the <repository> tag and it's pointing to an orbit repo that only has poi 3.9. The latest repo has both 3.9 and 4.1.1. I'll experiment with it. |
This was the error I was getting: [INFO] Scanning for projects... but it turns out I accidentally deleted the leading quote, so it was a syntax error. Following is what I changed, in case anyone has any comments. Some of these might be unnecessary. build/org.eclipse.birt.target/org.eclipse.birt.target.target:
build/org.eclipse.birt.build/externalRepo.properties: releng/maps/orbit_bundles.map: 4 MANIFEST.MF files: |
Ok, that looks fine. Please create a PR to see if it builds correctly. |
Update POI plugins to version 4.1.1 and add dependent plugins. Signed-off-by: Steve Schafer <sschafer@innoventsolutions.com>
PR successful, so closing |
POI 3.9 contains a number of vulnerabilities:
CVE-2017-12626
CVE-2017-5644
CVE-2016-5000
CVE-2014-9527
CVE-2014-3574
CVE-2014-3529
that I know about. POI 4.1.1 does not have these vulnerabilities and is available on orbit but the interfaces are somewhat incompatible. I'm presently working on this for a client in 4.8 and can apply these to 4.9 after I finish.
This is a bugzilla about vulnerabilities in multiple plugins including axis, derby, batik and poi: https://bugs.eclipse.org/bugs/show_bug.cgi?id=522431. I think it might be more manageable to break them out into individual issues.
The text was updated successfully, but these errors were encountered: