continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brent Atkinson <brent.atkin...@gmail.com>
Subject Re: Patching javadocs
Date Thu, 27 Jun 2013 10:37:37 GMT
That explains why there were no vulnerabilities found.

Thanks Olivier!


On Thu, Jun 27, 2013 at 1:05 AM, Olivier Lamy <olamy@apache.org> wrote:

> I did it already :-)
> See http://svn.apache.org/viewvc?view=revision&revision=1494942
> I checkout the site tree and apply the tool provided by Oracle.
>
> 2013/6/23 Brent Atkinson <brent.atkinson@gmail.com>:
> > Hi Louis,
> >
> > Frame injection sounds technical, it's basically that someone can hijack
> > someone's site that uses frames to present their own content and try a
> > social engineering attack that takes advantage of a user's trust of the
> > sites authenticity. Someone can essentially put their own content in your
> > html frameset and try to convince the user to do things.
> >
> > Using enforcer would be to prevent people from publishing docs using java
> > versions that produce vulnerable docs.
> >
> > Brent
> >
> >
> > On Sat, Jun 22, 2013 at 12:06 PM, Louis Smith <dr.louis.smith@gmail.com
> >wrote:
> >
> >> You're a braver man than I - I wouldn't attempt it... not even sure how
> >> enforcer could be used, or how to deal with the frame injection.  I
> need to
> >> go study up on that one...
> >>
> >> Good Luck!!
> >>
> >>
> >> On Sat, Jun 22, 2013 at 11:58 AM, Brent Atkinson <batkinson@apache.org
> >> >wrote:
> >>
> >> > Greetings,
> >> >
> >> > I have some time to patch frame injection vulnerability in the project
> >> > javadocs. Since this is the first time publishing the docs, I'd like
> >> > someone to verify the process for me. From
> >> > http://continuum.apache.org/development/publishing-site.html it
> appears
> >> > that I:
> >> >
> >> >   * check out the source under
> >> > http://svn.apache.org/repos/asf/continuum/site-publish
> >> >   * patch the docs
> >> >   * run "mvn site site:stage scm-publish:publish-scm"
> >> >
> >> > That should update the existing docs.
> >> >
> >> > How should we ensure new docs don't get published with the
> vulnerability?
> >> > Would that be something we'd do with enforcer and require versions?
> >> >
> >> > Brent
> >> >
> >>
> >>
> >>
> >> --
> >> Dr. Louis Smith, ThD
> >> Chief Technology Officer, Kyra InfoTech
> >> Museum Director, Veterans Memorial Railroad
> >>
>
>
>
> --
> Olivier Lamy
> Ecetera: http://ecetera.com.au
> http://twitter.com/olamy | http://linkedin.com/in/olamy
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message