Return-Path: X-Original-To: apmail-cayenne-dev-archive@www.apache.org Delivered-To: apmail-cayenne-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 714F110633 for ; Thu, 20 Jun 2013 19:42:30 +0000 (UTC) Received: (qmail 24807 invoked by uid 500); 20 Jun 2013 19:42:30 -0000 Delivered-To: apmail-cayenne-dev-archive@cayenne.apache.org Received: (qmail 24790 invoked by uid 500); 20 Jun 2013 19:42:30 -0000 Mailing-List: contact dev-help@cayenne.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cayenne.apache.org Delivered-To: mailing list dev@cayenne.apache.org Received: (qmail 24782 invoked by uid 99); 20 Jun 2013 19:42:30 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Jun 2013 19:42:30 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [208.78.103.231] (HELO vorsha.objectstyle.org) (208.78.103.231) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 20 Jun 2013 19:42:24 +0000 Received: (qmail 11812 invoked from network); 20 Jun 2013 19:45:46 -0000 Received: from unknown (HELO ?IPv6:::1?) (127.0.0.1) by localhost with SMTP; 20 Jun 2013 19:45:46 -0000 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) Subject: Re: [SECURITY] Frame injection vulnerability in published Javadoc [for our projects] From: Andrus Adamchik In-Reply-To: Date: Thu, 20 Jun 2013 15:42:03 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <8ABA97B6-BB7C-48EC-A7D7-72E56C79E421@objectstyle.org> References: To: dev@cayenne.apache.org X-Mailer: Apple Mail (2.1508) X-Virus-Checked: Checked by ClamAV on apache.org I won't be available to work on this at least until next Tuesday (or = more likely - Wednesday). Anyone else can get the updated stuff into our = CMS? http://cayenne.apache.org/dev/cms-guide.html (which doesn't mention = Javadocs) =85 they should be copied over to (or fixed in place with the = Oracle tool at) : cms/content/docs/1.2/api cms/content/docs/2.0/api cms/content/docs/3.0/api cms/content/docs/3.1/api Andrus On Jun 20, 2013, at 10:20 AM, Mike Kienenberger = wrote: > Another item for which we need to take action >=20 >=20 > ---------- Forwarded message ---------- > From: Mark Thomas > Date: Thu, Jun 20, 2013 at 4:29 AM > Subject: [SECURITY] Frame injection vulnerability in published Javadoc > To: committers@apache.org > Cc: root@apache.org >=20 >=20 > Hi All, >=20 > Oracle has announced [1], [2] a frame injection vulnerability in = Javadoc > generated by Java 5, Java 6 and Java 7 before update 22. >=20 > The infrastructure team has completed a scan of our current project > websites and identified over 6000 instances of vulnerable Javadoc > distributed across most TLPs. The chances are the project(s) you > contribute to is(are) affected. A list of projects and the number of > affected Javadoc instances per project is provided at the end of this > e-mail. >=20 > Please take the necessary steps to fix any currently published Javadoc > and to ensure that any future Javadoc published by your project does = not > contain the vulnerability. The announcement by Oracle includes a link = to > a tool that can be used to fix Javadoc without regeneration. >=20 > The infrastructure team is investigating options for preventing the > publication of vulnerable Javadoc. >=20 > The issue is public and may be discussed freely on your project's dev = list. >=20 > Thanks, >=20 > Mark (ASF Infra) >=20 >=20 >=20 > [1] > = http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.h= tml > [2] http://www.kb.cert.org/vuls/id/225657 >=20 > Project Instances > abdera.apache.org 1 > accumulo.apache.org 2 > activemq.apache.org 105 > any23.apache.org 13 > archiva.apache.org 4 > archive.apache.org 13 > aries.apache.org 7 > avro.apache.org 23 > axis.apache.org 5 > beehive.apache.org 16 > bval.apache.org 12 > camel.apache.org 786 > cayenne.apache.org 4 > chemistry.apache.org 6 > click.apache.org 3 > cocoon.apache.org 6 > commons.apache.org 34 > continuum.apache.org 9 > creadur.apache.org 19 > crunch.apache.org 4 > ctakes.apache.org 2 > curator.apache.org 4 > cxf.apache.org 6 > db.apache.org 39 > directory.apache.org 4 > empire-db.apache.org 1 > felix.apache.org 5 > flume.apache.org 5 > geronimo.apache.org 241 > giraph.apache.org 6 > gora.apache.org 3 > hadoop.apache.org 21 > hbase.apache.org 2 > hive.apache.org 4 > hivemind.apache.org 10 > incubator.apache.org 355 > jackrabbit.apache.org 9 > jakarta.apache.org 39 > james.apache.org 53 > jena.apache.org 5 > juddi.apache.org 3 > lenya.apache.org 46 > logging.apache.org 111 > lucene.apache.org 713 > manifoldcf.apache.org 112 > marmotta.apache.org 1 > maven.apache.org 1623 > maventest.apache.org 1178 > mina.apache.org 2 > mrunit.apache.org 3 > myfaces.apache.org 348 > nutch.apache.org 8 > oltu.apache.org 11 > oodt.apache.org 1 > ooo-site.apache.org 1 > oozie.apache.org 10 > openjpa.apache.org 20 > opennlp.apache.org 9 > pdfbox.apache.org 1 > pig.apache.org 7 > pivot.apache.org 1 > poi.apache.org 1 > portals.apache.org 35 > river.apache.org 2 > santuario.apache.org 1 > shale.apache.org 55 > shiro.apache.org 3 > sling.apache.org 2 > sqoop.apache.org 4 > struts.apache.org 190 > subversion.apache.org 3 > synapse.apache.org 1 > syncope.apache.org 2 > tapestry.apache.org 6 > tika.apache.org 9 > tiles.apache.org 12 > turbine.apache.org 100 > tuscany.apache.org 4 > uima.apache.org 12 > velocity.apache.org 41 > whirr.apache.org 2 > wicket.apache.org 3 > wink.apache.org 13 > ws.apache.org 22 > xalan.apache.org 1 > xerces.apache.org 5 > xml.apache.org 1 > xmlbeans.apache.org 3 > zookeeper.apache.org 18 >=20