Return-Path: X-Original-To: apmail-incubator-chukwa-dev-archive@www.apache.org Delivered-To: apmail-incubator-chukwa-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F11B1EDEB for ; Tue, 25 Jun 2013 03:25:06 +0000 (UTC) Received: (qmail 24222 invoked by uid 500); 25 Jun 2013 03:25:06 -0000 Delivered-To: apmail-incubator-chukwa-dev-archive@incubator.apache.org Received: (qmail 24075 invoked by uid 500); 25 Jun 2013 03:24:59 -0000 Mailing-List: contact chukwa-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: chukwa-dev@incubator.apache.org Delivered-To: mailing list chukwa-dev@incubator.apache.org Received: (qmail 24044 invoked by uid 500); 25 Jun 2013 03:24:55 -0000 Delivered-To: apmail-hadoop-chukwa-dev@hadoop.apache.org Received: (qmail 24019 invoked by uid 99); 25 Jun 2013 03:24:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Jun 2013 03:24:49 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of asrabkin@gmail.com designates 209.85.215.42 as permitted sender) Received: from [209.85.215.42] (HELO mail-la0-f42.google.com) (209.85.215.42) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Jun 2013 03:24:43 +0000 Received: by mail-la0-f42.google.com with SMTP id eb20so11289827lab.29 for ; Mon, 24 Jun 2013 20:24:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=YsPBTPdNXBLOmg4SgGPFIOnYksRzNu9+M0mCfxd9TPg=; b=YNjWBdv/84+Zi57Mnv+dot11admjqZAFrQ0LYIFhftG5jXjkPHSWk3aEqLloz+38sb LLGXL3HwRp/oLjGk9X56QxKMqI5MmhTq0bEY0C8zvN7aG8l5+c64IJpHKge5G0f7DUul Tug6QWHLebIbEbx/N1r9dozerDQ7VM/QRQ8kZVxdT6eFNmR+FqfPnxD40ejHWt17F7Nw MxJxQrpYolzQMY2SkmGzE00w6I9sHLnsMNhVTWwMfTwB2UouIh/oYSSUSnfJTLj2SewK hRU92jdYTARQRMbl0BoXnbzLV4x75QJDdSf+HkLwFOR1OknkBY3X4XegmI0p9sDv6Miw bNPA== MIME-Version: 1.0 X-Received: by 10.112.12.137 with SMTP id y9mr14085495lbb.91.1372130662164; Mon, 24 Jun 2013 20:24:22 -0700 (PDT) Received: by 10.112.52.138 with HTTP; Mon, 24 Jun 2013 20:24:22 -0700 (PDT) In-Reply-To: <51C2BD63.7000901@apache.org> References: <51C2BD63.7000901@apache.org> Date: Mon, 24 Jun 2013 23:24:22 -0400 Message-ID: Subject: Fwd: [SECURITY] Frame injection vulnerability in published Javadoc From: Ariel Rabkin To: "chukwa-dev@hadoop.apache.org" Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org I don't understand how serious a problem this is. Do we need to do anything about this? Anybody want to take the lead and re-compile our javadoc? --Ari ---------- Forwarded message ---------- From: Mark Thomas Date: Thu, Jun 20, 2013 at 4:29 AM Subject: [SECURITY] Frame injection vulnerability in published Javadoc To: committers@apache.org Cc: root@apache.org Hi All, Oracle has announced [1], [2] a frame injection vulnerability in Javadoc generated by Java 5, Java 6 and Java 7 before update 22. The infrastructure team has completed a scan of our current project websites and identified over 6000 instances of vulnerable Javadoc distributed across most TLPs. The chances are the project(s) you contribute to is(are) affected. A list of projects and the number of affected Javadoc instances per project is provided at the end of this e-mail. Please take the necessary steps to fix any currently published Javadoc and to ensure that any future Javadoc published by your project does not contain the vulnerability. The announcement by Oracle includes a link to a tool that can be used to fix Javadoc without regeneration. The infrastructure team is investigating options for preventing the publication of vulnerable Javadoc. The issue is public and may be discussed freely on your project's dev list. Thanks, Mark (ASF Infra) [1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html [2] http://www.kb.cert.org/vuls/id/225657 -- Ari Rabkin asrabkin@gmail.com Princeton Computer Science Department