65451 – poi-ooxml uses a vulnerable dependency - commons-compress

Bug 65451 - poi-ooxml uses a vulnerable dependency - commons-compress

Summary: poi-ooxml uses a vulnerable dependency - commons-compress

Status:	RESOLVED FIXED

Alias:	None

Product:	POI
Classification:	Unclassified
Component:	POI Overall (show other bugs)
Version:	5.0.0-FINAL
Hardware:	All All

Importance:	P2 major (vote)
Target Milestone:	---
Assignee:	POI Developers List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-07-14 18:46 UTC by maor
Modified:	2021-07-14 18:59 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description maor 2021-07-14 18:46:32 UTC

commons-compress 1.20 is vulnerable:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35515
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090

Should be upgraded to 1.21

Comment 1 PJ Fanning 2021-07-14 18:51:33 UTC

this is already fixed in poi trunk and will be part of next release - you can modify your own build to use latest commons-compress as a workaround

Comment 2 maor 2021-07-14 18:54:11 UTC

Thanks for the prompt update!
Is there any place I can see the planned release timeline?

Comment 3 PJ Fanning 2021-07-14 18:59:07 UTC

release is not yet scheduled but there is a workaround - upgrade commons-compress in your own build - remember this is not a POI issue.