The Apache POI project is pleased to announce the release of POI 4.1.1. Featured are a handful of new areas of functionality, and numerous bug fixes. See the downloads page for binary and source distributions: https://poi.apache.org/download.html Release Notes Changes ------------ The most notable changes in this release are: - XSSF: Memory improvements which use much less memory while writing large xlsx files - XDDF: Improved chart support: more types and some API changes around angles and width units - updated dependencies to Bouncycastle 1.62, Commons-Codec 1.13, Commons-Collections4 4.4, Commons-Compress 1.19 - XWPF: Additional API methods - XSSF: Fixes to XSSFSheet.addMergedRegion() and XSSFRow.shiftRows() - EMF/HSLF: Rendering fixes - CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI A full list of changes is available in the change log: https://poi.apache.org/changes.html. People interested should also follow the dev mailing list to track further progress. CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI ------------------------------------------------------------------- Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache POI up to version 4.1.0 Description: When using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing. Mitigation: Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml are not affected. affected users are advised to update to Apache POI 4.1.1 which fixes this vulnerability. Credit: This issue was discovered by Artem Smotrakov from SAP References: https://en.wikipedia.org/wiki/XML_external_entity_attack Release Contents ---------------- This release comes in two forms: - pre-built binaries containing compiled versions of all Apache POI components and documentation (poi-bin-4.1.1-20191023.zip or poi-bin-4.1.1-20191023.tar.gz) - source archive you can build POI from (poi-src-4.1.1-20191023.zip or poi-src-4.1.1-20191023.tar.gz) Unpack the archive and use the following command to build all POI components with Apache Ant 1.8+ and JDK 1.8 or higher: ant jar Pre-built versions of all POI components are also available in the central Maven repository under Group ID "org.apache.poi" and Version "4.1.1" All release artifacts are accompanied by MD5 checksums and PGP signatures that you can use to verify the authenticity of your download. The public key used for the PGP signature can be found at https://svn.apache.org/repos/asf/poi/tags/REL_4_1_1/KEYS About Apache POI ----------------------- Apache POI is well-known in the Java field as a library for reading and writing Microsoft Office file formats, such as Excel, PowerPoint, Word, Visio, Publisher and Outlook. It supports both the older (OLE2) and new (OOXML - Office Open XML) formats. See https://poi.apache.org/ for more details