Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Apache POI and POI Scratchpad #393

Closed
Faelean opened this issue May 11, 2022 · 4 comments
Closed

Update Apache POI and POI Scratchpad #393

Faelean opened this issue May 11, 2022 · 4 comments
Labels
3rdparty-problem maintenance
Milestone
7.1.2

Comments

@Faelean
Copy link

Faelean commented May 11, 2022

Hey,

there is a CVE for the POI version that is currently used (https://nvd.nist.gov/vuln/detail/CVE-2022-26336).
Is it possible to just replace the dependencies on our own and update to 5.2.2 or are there any breaking changes that would prevent SJW from working if we do that?
@bbottema
Copy link
Owner

POI is used solely for the Outlook conversion support. If you don't use that you can just exclude that module altogether (or just exclude the dependencies).

If you do rely on that module, well I just tried and ran all the tests from the project with the newer POI version without any problems. So you could also just pin the POI dependency version to 5.2.2.

bbottema added a commit to bbottema/outlook-message-parser that referenced this issue May 13, 2022
@bbottema
#bbottema/simple-java-mail#393: fixed CVE issue by updating to newer …
2036eb5 
…POI version. Also relying on new parent pom which fixes vulnerable junit versions.
@bbottema bbottema mentioned this issue May 13, 2022
Closed
@bbottema
Copy link
Owner

FYI, I've released outlook-message-parser 1.9.0, which has the newer dependencies. You could now also just pin this version instead of managing POI directly.

bbottema added a commit that referenced this issue May 13, 2022
@bbottema
#393: depend on newer outlook-message-parser which contains updated P…
da950c2 
…OI dependencies, solving CVE-2022-26336
@Faelean
Copy link
Author

Faelean commented May 18, 2022

Thanks for the quick update, much appreciated.
We're using the Outlook conversion so removing the module isn't an option, but knowing that we can just replace POI until we release a new version is great.

bbottema added a commit that referenced this issue Jul 12, 2022
@bbottema
#393: use newer version of outlook-message-parser, updating Apache PO…
cd1defb 
…I and POI Scratchpad (and update parent pom for security update regarding log4j)
@bbottema bbottema added this to the 7.1.2 milestone Jul 12, 2022
@bbottema
Copy link
Owner

Released in 7.1.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3rdparty-problem maintenance
Projects
None yet
Milestone
7.1.2
Development

No branches or pull requests
2 participants
@bbottema @Faelean