oodt-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ke...@apache.org
Subject Fwd: [SECURITY] Frame injection vulnerability in published Javadoc
Date Thu, 20 Jun 2013 13:18:03 GMT
See the forwarded message below. Yuck.

I used the patching tool mentioned to fix OODT's Javadocs online at http://oodt.apache.org/

Whoever cuts the next OODT website MUST use Java 1.7.0_23 or higher.

--k

Begin forwarded message:

> From: Mark Thomas <markt@apache.org>
> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> Date: 2013 June 20 3.29.23a CDT
> To: committers@apache.org
> Cc: root@apache.org
> Reply-To: "infrastructure@apache.org" <infrastructure@apache.org>
> 
> Hi All,
> 
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
> 
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc
> distributed across most TLPs. The chances are the project(s) you
> contribute to is(are) affected. A list of projects and the number of
> affected Javadoc instances per project is provided at the end of this
> e-mail.
> 
> Please take the necessary steps to fix any currently published Javadoc
> and to ensure that any future Javadoc published by your project does not
> contain the vulnerability. The announcement by Oracle includes a link to
> a tool that can be used to fix Javadoc without regeneration.
> 
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
> 
> The issue is public and may be discussed freely on your project's dev list.
> 
> Thanks,
> 
> Mark (ASF Infra)
> 
> 
> 
> [1]
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
> [2] http://www.kb.cert.org/vuls/id/225657
> 
> Project			Instances
> abdera.apache.org	1
> accumulo.apache.org	2
> activemq.apache.org	105
> any23.apache.org	13
> archiva.apache.org	4
> archive.apache.org	13
> aries.apache.org	7
> avro.apache.org		23
> axis.apache.org		5
> beehive.apache.org	16
> bval.apache.org		12
> camel.apache.org	786
> cayenne.apache.org	4
> chemistry.apache.org	6
> click.apache.org	3
> cocoon.apache.org	6
> commons.apache.org	34
> continuum.apache.org	9
> creadur.apache.org	19
> crunch.apache.org	4
> ctakes.apache.org	2
> curator.apache.org	4
> cxf.apache.org		6
> db.apache.org		39
> directory.apache.org	4
> empire-db.apache.org	1
> felix.apache.org	5
> flume.apache.org	5
> geronimo.apache.org	241
> giraph.apache.org	6
> gora.apache.org		3
> hadoop.apache.org	21
> hbase.apache.org	2
> hive.apache.org		4
> hivemind.apache.org	10
> incubator.apache.org	355
> jackrabbit.apache.org	9
> jakarta.apache.org	39
> james.apache.org	53
> jena.apache.org		5
> juddi.apache.org	3
> lenya.apache.org	46
> logging.apache.org	111
> lucene.apache.org	713
> manifoldcf.apache.org	112
> marmotta.apache.org	1
> maven.apache.org	1623
> maventest.apache.org	1178
> mina.apache.org		2
> mrunit.apache.org	3
> myfaces.apache.org	348
> nutch.apache.org	8
> oltu.apache.org		11
> oodt.apache.org		1
> ooo-site.apache.org	1
> oozie.apache.org	10
> openjpa.apache.org	20
> opennlp.apache.org	9
> pdfbox.apache.org	1
> pig.apache.org		7
> pivot.apache.org	1
> poi.apache.org		1
> portals.apache.org	35
> river.apache.org	2
> santuario.apache.org	1
> shale.apache.org	55
> shiro.apache.org	3
> sling.apache.org	2
> sqoop.apache.org	4
> struts.apache.org	190
> subversion.apache.org	3
> synapse.apache.org	1
> syncope.apache.org	2
> tapestry.apache.org	6
> tika.apache.org		9
> tiles.apache.org	12
> turbine.apache.org	100
> tuscany.apache.org	4
> uima.apache.org		12
> velocity.apache.org	41
> whirr.apache.org	2
> wicket.apache.org	3
> wink.apache.org		13
> ws.apache.org		22
> xalan.apache.org	1
> xerces.apache.org	5
> xml.apache.org		1
> xmlbeans.apache.org	3
> zookeeper.apache.org	18
> 
> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message