Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upUpdate Apache POI in Spring 4.3.x [SPR-17385] #21918
Comments
This comment has been minimized.
This comment has been minimized.
|
Rossen Stoyanchev commented That's right, 4.3.x is in maintenance mode. It is an optional dependency however so a project has to choose the version. That said from the reports CVE-2017-5644 and CVE-2017-12626 it looks like upgrading to 3.17 should cover those issues. |
This comment has been minimized.
This comment has been minimized.
|
Juergen Hoeller commented Indeed, 3.14 is just the POI version that we happen to compile against, as a baseline for our API dependency. Like with all of our optional integration arrangements, the specific version for a particular application is always chosen by the application project setup. So we effectively support POI 3.14+ for use with Spring Framework 4.3.x, recommending the latest in line... since even POI 3.17 is being superseded by POI 4.0 in the meantime, we should be able to upgrade our build dependency to it in the 4.3.x line at this point. |
This comment has been minimized.
This comment has been minimized.
|
Juergen Hoeller commented I've upgraded our 4.3.x branch to POI 3.17, aligned with the 5.0.x branch. |
spring-issuemaster commentedOct 15, 2018
GFriedrich opened SPR-17385 and commented
I just saw that Spring WebMVC in the 4.3.x branch has an optional dependency of Apache POI 3.14.
This version of Apache POI is vulnerable to CVE-2017-5644 and CVE-2017-12626
I'm wondering whether it would be possible to update to the latest Apache POI 3.x on this branch?
I know that Spring 4.3.x is in some kind of maintenance mode, but maybe it's an easy task. But you know for sure better than I do. :)
Thanks in advance.
Affects: 4.3.20
Referenced from: commits bf9043c