This is the issue solved by 2.16.0:
https://www.cve.org/CVERecord?id=CVE-2021-45046
I think that 2.15.0 is probably good enough for now. We can upgrade
to 2.16.0 in 2.2.1, when we upgrade PDFBox and POI early in the new
year.
If anyone has a technical reason to think we should respin 2.2.0-rc1,
please vote/let us know.
Thank you, all!
Cheers,
Tim
On Mon, Dec 13, 2021 at 7:59 PM Tim Allison <[email protected]> wrote:
>
> I'll dig deeper tomorrow, but I think we're ok with 2.15. I like what
> they've done with 2.16.0. :D
>
> On Mon, Dec 13, 2021 at 7:57 PM Dave Fisher <[email protected]> wrote:
> >
> > You’ll need to evaluate that yourself.
> >
> > Sent from my iPhone
> >
> > > On Dec 13, 2021, at 4:56 PM, Tim Allison <[email protected]> wrote:
> > >
> > > Do we have to do a respin of the release candidate or is this marginally
> > > better?
> > >
> > >> On Mon, Dec 13, 2021 at 7:43 PM Dave Fisher <[email protected]> wrote:
> > >>
> > >> https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
> >
