A denial of service flaw was found in the way the HSLFSlideShow class implementation in Apache POI handled certain PPT files. A remote attacker could submit a specially crafted PPT file that would cause Apache POI to hang indefinitely.
There are some problems to solve for upgrade Apache Poi to 3.11
#1, i have no idea what license they use these files, used by poi-ooxml* artefacts
#2 Apache Poi to 3.11 use xml-security 2.x, xml-security update would cause compatibility problems that for now prefer to avoid
Fixed In Version field of Security Response / vulnerability bugs is used to tracked information about what upstream version fixed specific flaws.
apache-poi-3.10.1-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products:
Red Hat JBoss Data Virtualization security and bug fix update
Via RHSA-2016:1135 https://access.redhat.com/errata/RHSA-2016:1135