activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré ...@nanthrax.net>
Subject Fwd: [SECURITY] Frame injection vulnerability in published Javadoc
Date Mon, 24 Jun 2013 07:02:02 GMT
Hi all,

I guess that most of you already saw this warning e-mail.

Camel, ActiveMQ, and CXF are affected (Karaf is not).

I will start to review ActiveMQ today and Camel tomorrow. Is someone 
from CXF can take a quick look ?

I will get back to you soon for ActiveMQ and Camel.

Thanks !
Regards
JB

-------- Original Message --------
Subject: [SECURITY] Frame injection vulnerability in published Javadoc
Date: Thu, 20 Jun 2013 09:29:23 +0100
From: Mark Thomas <markt@apache.org>
Reply-To: infrastructure@apache.org <infrastructure@apache.org>
To: committers@apache.org
CC: root@apache.org

Hi All,

Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
generated by Java 5, Java 6 and Java 7 before update 22.

The infrastructure team has completed a scan of our current project
websites and identified over 6000 instances of vulnerable Javadoc
distributed across most TLPs. The chances are the project(s) you
contribute to is(are) affected. A list of projects and the number of
affected Javadoc instances per project is provided at the end of this
e-mail.

Please take the necessary steps to fix any currently published Javadoc
and to ensure that any future Javadoc published by your project does not
contain the vulnerability. The announcement by Oracle includes a link to
a tool that can be used to fix Javadoc without regeneration.

The infrastructure team is investigating options for preventing the
publication of vulnerable Javadoc.

The issue is public and may be discussed freely on your project's dev list.

Thanks,

Mark (ASF Infra)



[1]
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
[2] http://www.kb.cert.org/vuls/id/225657

Project			Instances
abdera.apache.org	1
accumulo.apache.org	2
activemq.apache.org	105
any23.apache.org	13
archiva.apache.org	4
archive.apache.org	13
aries.apache.org	7
avro.apache.org		23
axis.apache.org		5
beehive.apache.org	16
bval.apache.org		12
camel.apache.org	786
cayenne.apache.org	4
chemistry.apache.org	6
click.apache.org	3
cocoon.apache.org	6
commons.apache.org	34
continuum.apache.org	9
creadur.apache.org	19
crunch.apache.org	4
ctakes.apache.org	2
curator.apache.org	4
cxf.apache.org		6
db.apache.org		39
directory.apache.org	4
empire-db.apache.org	1
felix.apache.org	5
flume.apache.org	5
geronimo.apache.org	241
giraph.apache.org	6
gora.apache.org		3
hadoop.apache.org	21
hbase.apache.org	2
hive.apache.org		4
hivemind.apache.org	10
incubator.apache.org	355
jackrabbit.apache.org	9
jakarta.apache.org	39
james.apache.org	53
jena.apache.org		5
juddi.apache.org	3
lenya.apache.org	46
logging.apache.org	111
lucene.apache.org	713
manifoldcf.apache.org	112
marmotta.apache.org	1
maven.apache.org	1623
maventest.apache.org	1178
mina.apache.org		2
mrunit.apache.org	3
myfaces.apache.org	348
nutch.apache.org	8
oltu.apache.org		11
oodt.apache.org		1
ooo-site.apache.org	1
oozie.apache.org	10
openjpa.apache.org	20
opennlp.apache.org	9
pdfbox.apache.org	1
pig.apache.org		7
pivot.apache.org	1
poi.apache.org		1
portals.apache.org	35
river.apache.org	2
santuario.apache.org	1
shale.apache.org	55
shiro.apache.org	3
sling.apache.org	2
sqoop.apache.org	4
struts.apache.org	190
subversion.apache.org	3
synapse.apache.org	1
syncope.apache.org	2
tapestry.apache.org	6
tika.apache.org		9
tiles.apache.org	12
turbine.apache.org	100
tuscany.apache.org	4
uima.apache.org		12
velocity.apache.org	41
whirr.apache.org	2
wicket.apache.org	3
wink.apache.org		13
ws.apache.org		22
xalan.apache.org	1
xerces.apache.org	5
xml.apache.org		1
xmlbeans.apache.org	3
zookeeper.apache.org	18





Mime
View raw message