A denial of service flaw was found in the way the HSLFSlideShow class implementation in Apache POI handled certain PPT files. A remote attacker could submit a specially crafted PPT file that would cause Apache POI to hang indefinitely. Upstream Issue: https://issues.apache.org/bugzilla/show_bug.cgi?id=57272 Upstream Fix: https://svn.apache.org/viewvc?view=revision&revision=1643680
There are some problems to solve for upgrade Apache Poi to 3.11 #1, i have no idea what license they use these files, used by poi-ooxml* artefacts http://www.ecma-international.org/publications/files/ECMA-ST/Office%20Open%20XML%201st%20edition%20Part%202%20(PDF).zip http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcmitype.xsd http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd http://uri.etsi.org/01903/v1.3.2/XAdES.xsd http://uri.etsi.org/01903/v1.4.1/XAdESv141.xsd #2 Apache Poi to 3.11 use xml-security 2.x, xml-security update would cause compatibility problems that for now prefer to avoid regards
Fixed In Version field of Security Response / vulnerability bugs is used to tracked information about what upstream version fixed specific flaws.
apache-poi-3.10.1-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization security and bug fix update Via RHSA-2016:1135 https://access.redhat.com/errata/RHSA-2016:1135