New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Apache POI in Spring 4.3.x [SPR-17385] #21918

Closed
spring-issuemaster opened this Issue Oct 15, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

spring-issuemaster commented Oct 15, 2018

GFriedrich opened SPR-17385 and commented

I just saw that Spring WebMVC in the 4.3.x branch has an optional dependency of Apache POI 3.14.

This version of Apache POI is vulnerable to CVE-2017-5644 and CVE-2017-12626

I'm wondering whether it would be possible to update to the latest Apache POI 3.x on this branch?

I know that Spring 4.3.x is in some kind of maintenance mode, but maybe it's an easy task. But you know for sure better than I do. :)

Thanks in advance.


Affects: 4.3.20

Referenced from: commits bf9043c

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator

spring-issuemaster commented Nov 30, 2018

Rossen Stoyanchev commented

That's right, 4.3.x is in maintenance mode. It is an optional dependency however so a project has to choose the version. That said from the reports CVE-2017-5644 and CVE-2017-12626 it looks like upgrading to 3.17 should cover those issues.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator

spring-issuemaster commented Dec 2, 2018

Juergen Hoeller commented

Indeed, 3.14 is just the POI version that we happen to compile against, as a baseline for our API dependency. Like with all of our optional integration arrangements, the specific version for a particular application is always chosen by the application project setup.

So we effectively support POI 3.14+ for use with Spring Framework 4.3.x, recommending the latest in line... since even POI 3.17 is being superseded by POI 4.0 in the meantime, we should be able to upgrade our build dependency to it in the 4.3.x line at this point.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator

spring-issuemaster commented Dec 3, 2018

Juergen Hoeller commented

I've upgraded our 4.3.x branch to POI 3.17, aligned with the 5.0.x branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment