The Apache Calcite PMC is pleased to announce Apache Calcite release 1.32.0.

This release fixes CVE-2022-39135, an XML External Entity (XEE) vulnerability that allows a SQL query to read the contents of files via the SQL functions EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM or EXTRACT_VALUE.

Coming 1 month after 1.31.0 with 19 issues fixed by 17 contributors, this release also replaces the ESRI spatial engine with JTS and proj4j, adds 65 spatial SQL functions including ST_Centroid, ST_Covers and ST_GeomFromGeoJSON, adds the CHAR SQL function, and improves the return type of the ARRAY and MULTISET functions.

See the release notes; download the release.