cayenne-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Kienenberger <mkien...@gmail.com>
Subject Re: javadoc security flaw
Date Tue, 09 Jul 2013 21:02:21 GMT
Maybe we can compare index / toc files before and after and see if
there's something obviously different:

index.htm
index.html
toc.htm
toc.html



On Tue, Jul 9, 2013 at 4:58 PM, Mike Kienenberger <mkienenb@gmail.com> wrote:
> I wasn't able to quickly determine how to detect or exploit this by
> reviewing the recent security advisories about the issue.   Maybe
> someone else will have more time or better luck spotting the wanted
> info.
>
> http://www.kb.cert.org/vuls/id/225657
>
> http://xforce.iss.net/xforce/xfdb/84715
>
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
>
>
> On Tue, Jul 9, 2013 at 4:23 PM, Andrus Adamchik <andrus@objectstyle.org> wrote:
>> Mike, thanks for the research. Just committed javadoc plugin upgrade to all active
branches (CAY-1845). I hope we are all set. (wonder if this can be verified by checking the
generated javadocs somehow?)
>>
>> Andrus
>>
>> On Jul 9, 2013, at 4:20 PM, Mike Kienenberger <mkienenb@gmail.com> wrote:
>>
>>> LUCENE's issue stated in the comments that the Oracle tool shouldn't
>>> be used (apparently it can be integrated with maven).   It also stated
>>> that there was a simple way to duplicate the functionality using
>>> maven, but I didn't immediately see what that was:
>>>
>>> Here's the thread it had on that:
>>>
>>> https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185
>>>
>>> This seems to point to https://issues.apache.org/jira/browse/MPOM-46
>>> as one solution later on in the comments
>>>
>>> Which seems to be a matter of updating the maven-javadoc-plugin
>>> version from 2.9 to 2.9.1.   Maybe that's all we need as well?   If
>>> not, I'm guessing you could diff the changes between versions 2.9 to
>>> 2.9.1 and find the solution in a maven environment?
>>>
>>> http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692
>>>
>>> --- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691
>>> +++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692
>>> @@ -184,7 +184,7 @@
>>>         <plugin>
>>>           <groupId>org.apache.maven.plugins</groupId>
>>>           <artifactId>maven-javadoc-plugin</artifactId>
>>> -          <version>2.9</version>
>>> +          <version>2.9.1</version>
>>>         </plugin>
>>>
>>> On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <mkienenb@gmail.com>
wrote:
>>>>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <ari@maniatis.org>
wrote:
>>>>>> Did we change the javadoc build process to avoid the javadoc security
flaw recently discovered? I patched the website javadocs, but I'm not sure if we also have
to change something in our maven build process or upgrade some plugin.
>>>>
>>>> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <andrus@objectstyle.org>
wrote:
>>>>> Me neither. Probably some research is in order. Should we take this to
a separate thread?
>>>>
>>>> Maybe you can copy what some other project has done.
>>>>
>>>> I saw a notice about it for tomcat but I believe it is built with ant.
>>>>
>>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
>>>>
>>>> That notice pointed to Lucene, but it says it was built with ivy.
>>>>
>>>> https://issues.apache.org/jira/browse/LUCENE-5072
>>>>
>>>> So I didn't find a pointer to a maven-based fix.
>>>
>>

Mime
View raw message