Mailing-List: contact dev-help@cayenne.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cayenne.apache.org
Received-SPF: pass (nike.apache.org: domain of mkienenb@gmail.com designates
 209.85.212.177 as permitted sender)
MIME-Version: 1.0
In-Reply-To: <FC8ADFCE-828C-4A00-B526-5498390F6253@objectstyle.org>
References: 
 <CAM1yOjbQGU0_eJxuyuMJtbeLCCnVQqjLQ4+AN_DHhDpq75WrGA@mail.gmail.com>
 <CAM1yOjYaYoWj+xC92X89MxHLYy40+weaBk88893XwnUE=U2DVw@mail.gmail.com>
 <FC8ADFCE-828C-4A00-B526-5498390F6253@objectstyle.org>
From: Mike Kienenberger <mkienenb@gmail.com>
Date: Tue, 9 Jul 2013 16:58:09 -0400
Message-ID: 
 <CAM1yOjYyk-tKVXNVpwhkprTrRo2Vn+1E9JF_TyiLF8QwGEJMXQ@mail.gmail.com>
Subject: Re: javadoc security flaw
To: dev@cayenne.apache.org
Content-Type: text/plain; charset=ISO-8859-1

I wasn't able to quickly determine how to detect or exploit this by
reviewing the recent security advisories about the issue.   Maybe
someone else will have more time or better luck spotting the wanted
info.

http://www.kb.cert.org/vuls/id/225657

http://xforce.iss.net/xforce/xfdb/84715

http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html


On Tue, Jul 9, 2013 at 4:23 PM, Andrus Adamchik <andrus@objectstyle.org> wrote:
> Mike, thanks for the research. Just committed javadoc plugin upgrade to all active branches (CAY-1845). I hope we are all set. (wonder if this can be verified by checking the generated javadocs somehow?)
>
> Andrus
>
> On Jul 9, 2013, at 4:20 PM, Mike Kienenberger <mkienenb@gmail.com> wrote:
>
>> LUCENE's issue stated in the comments that the Oracle tool shouldn't
>> be used (apparently it can be integrated with maven).   It also stated
>> that there was a simple way to duplicate the functionality using
>> maven, but I didn't immediately see what that was:
>>
>> Here's the thread it had on that:
>>
>> https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185
>>
>> This seems to point to https://issues.apache.org/jira/browse/MPOM-46
>> as one solution later on in the comments
>>
>> Which seems to be a matter of updating the maven-javadoc-plugin
>> version from 2.9 to 2.9.1.   Maybe that's all we need as well?   If
>> not, I'm guessing you could diff the changes between versions 2.9 to
>> 2.9.1 and find the solution in a maven environment?
>>
>> http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692
>>
>> --- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691
>> +++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692
>> @@ -184,7 +184,7 @@
>>         <plugin>
>>           <groupId>org.apache.maven.plugins</groupId>
>>           <artifactId>maven-javadoc-plugin</artifactId>
>> -          <version>2.9</version>
>> +          <version>2.9.1</version>
>>         </plugin>
>>
>> On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <mkienenb@gmail.com> wrote:
>>>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <ari@maniatis.org> wrote:
>>>>> Did we change the javadoc build process to avoid the javadoc security flaw recently discovered? I patched the website javadocs, but I'm not sure if we also have to change something in our maven build process or upgrade some plugin.
>>>
>>> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <andrus@objectstyle.org> wrote:
>>>> Me neither. Probably some research is in order. Should we take this to a separate thread?
>>>
>>> Maybe you can copy what some other project has done.
>>>
>>> I saw a notice about it for tomcat but I believe it is built with ant.
>>>
>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
>>>
>>> That notice pointed to Lucene, but it says it was built with ivy.
>>>
>>> https://issues.apache.org/jira/browse/LUCENE-5072
>>>
>>> So I didn't find a pointer to a maven-based fix.
>>
>