Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Apache POI in Spring 4.3.x [SPR-17385] #21918

Closed
spring-projects-issues opened this issue Oct 15, 2018 · 3 comments
Closed

Update Apache POI in Spring 4.3.x [SPR-17385] #21918

spring-projects-issues opened this issue Oct 15, 2018 · 3 comments
Assignees
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Oct 15, 2018

GFriedrich opened SPR-17385 and commented

I just saw that Spring WebMVC in the 4.3.x branch has an optional dependency of Apache POI 3.14.

This version of Apache POI is vulnerable to CVE-2017-5644 and CVE-2017-12626

I'm wondering whether it would be possible to update to the latest Apache POI 3.x on this branch?

I know that Spring 4.3.x is in some kind of maintenance mode, but maybe it's an easy task. But you know for sure better than I do. :)

Thanks in advance.


Affects: 4.3.20

Referenced from: commits bf9043c

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Nov 30, 2018

Rossen Stoyanchev commented

That's right, 4.3.x is in maintenance mode. It is an optional dependency however so a project has to choose the version. That said from the reports CVE-2017-5644 and CVE-2017-12626 it looks like upgrading to 3.17 should cover those issues.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Dec 2, 2018

Juergen Hoeller commented

Indeed, 3.14 is just the POI version that we happen to compile against, as a baseline for our API dependency. Like with all of our optional integration arrangements, the specific version for a particular application is always chosen by the application project setup.

So we effectively support POI 3.14+ for use with Spring Framework 4.3.x, recommending the latest in line... since even POI 3.17 is being superseded by POI 4.0 in the meantime, we should be able to upgrade our build dependency to it in the 4.3.x line at this point.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Dec 3, 2018

Juergen Hoeller commented

I've upgraded our 4.3.x branch to POI 3.17, aligned with the 5.0.x branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants