openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Bauer <techhu...@gmail.com>
Subject Re: [SECURITY] Frame injection vulnerability in published Javadoc
Date Mon, 24 Jun 2013 14:08:07 GMT
Thanks, Albert!  Very glad to hear the build machines were all updated to a
level with the fix.

-Jeremy

On Fri, Jun 21, 2013 at 1:46 PM, Albert Lee <allee8285@gmail.com> wrote:

> I have updated all (17 instances) the javadoc with the prescribed patch
> that are published in the OpenJPA home site. The remaining are generated in
> daily doc build by the BuildBot process. Infrastructure team confirmed they
> have updated the JDK on those build systems.  The OpenJPA Javadoc will be
> built with proper doc generation next time BuildBot kicks in.
>
> Regards,
> Albert Lee.
>
> ---------- Forwarded message ----------
> From: Gavin McDonald <gavin@16degrees.com.au>
> Date: Thu, Jun 20, 2013 at 8:11 PM
> Subject: RE: [SECURITY] Frame injection vulnerability in published Javadoc
> To: Albert Lee <allee8285@gmail.com>, infrastructure@apache.org
>
>
> Yep,****
>
> ** **
>
> I’ve gone through and patched the already published javadocs for all
> projects on buildbot master, then backtraced to the affected host slaves
> that built them and upgraded those.****
>
> As all projects do a clobber before re-publishing javadocs I think we are
> fine going forwards.****
>
> ** **
>
> Gav…****
>
> ** **
>
> ** **
>
> *From:* Albert Lee [mailto:allee8285@gmail.com]
> *Sent:* Friday, 21 June 2013 2:47 AM
> *To:* infrastructure@apache.org
> *Subject:* Fwd: [SECURITY] Frame injection vulnerability in published
> Javadoc****
>
> ** **
>
> OpenJPA uses buildbot to generate JavaDoc on a daily basis.  ****
>
> I assume the JDK used in the buildbot systems have the appropriate JDK
> updated to prevent this vulnerability.  ****
>
> Please confirm.****
>
> Thanks,
> Albert Lee.****
>
> ** **
>
> ---------- Forwarded message ----------
> From: *Mark Thomas* <markt@apache.org>
> Date: Thu, Jun 20, 2013 at 3:29 AM
> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> To: committers@apache.org
> Cc: root@apache.org
>
>
> Hi All,
>
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
>
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc
> distributed across most TLPs. The chances are the project(s) you
> contribute to is(are) affected. A list of projects and the number of
> affected Javadoc instances per project is provided at the end of this
> e-mail.
>
> Please take the necessary steps to fix any currently published Javadoc
> and to ensure that any future Javadoc published by your project does not
> contain the vulnerability. The announcement by Oracle includes a link to
> a tool that can be used to fix Javadoc without regeneration.
>
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
>
> The issue is public and may be discussed freely on your project's dev list.
>
> Thanks,
>
> Mark (ASF Infra)
>
>
>
> [1]
>
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
> [2] http://www.kb.cert.org/vuls/id/225657
>
> Project                 Instances
> abdera.apache.org       1
> accumulo.apache.org     2
> activemq.apache.org     105
> any23.apache.org        13
> archiva.apache.org      4
> archive.apache.org      13
> aries.apache.org        7
> avro.apache.org         23
> axis.apache.org         5
> beehive.apache.org      16
> bval.apache.org         12
> camel.apache.org        786
> cayenne.apache.org      4
> chemistry.apache.org    6
> click.apache.org        3
> cocoon.apache.org       6
> commons.apache.org      34
> continuum.apache.org    9
> creadur.apache.org      19
> crunch.apache.org       4
> ctakes.apache.org       2
> curator.apache.org      4
> cxf.apache.org          6
> db.apache.org           39
> directory.apache.org    4
> empire-db.apache.org    1
> felix.apache.org        5
> flume.apache.org        5
> geronimo.apache.org     241
> giraph.apache.org       6
> gora.apache.org         3
> hadoop.apache.org       21
> hbase.apache.org        2
> hive.apache.org         4
> hivemind.apache.org     10
> incubator.apache.org    355
> jackrabbit.apache.org   9
> jakarta.apache.org      39
> james.apache.org        53
> jena.apache.org         5
> juddi.apache.org        3
> lenya.apache.org        46
> logging.apache.org      111
> lucene.apache.org       713
> manifoldcf.apache.org   112
> marmotta.apache.org     1
> maven.apache.org        1623
> maventest.apache.org    1178
> mina.apache.org         2
> mrunit.apache.org       3
> myfaces.apache.org      348
> nutch.apache.org        8
> oltu.apache.org         11
> oodt.apache.org         1
> ooo-site.apache.org     1
> oozie.apache.org        10
> openjpa.apache.org      20
> opennlp.apache.org      9
> pdfbox.apache.org       1
> pig.apache.org          7
> pivot.apache.org        1
> poi.apache.org          1
> portals.apache.org      35
> river.apache.org        2
> santuario.apache.org    1
> shale.apache.org        55
> shiro.apache.org        3
> sling.apache.org        2
> sqoop.apache.org        4
> struts.apache.org       190
> subversion.apache.org   3
> synapse.apache.org      1
> syncope.apache.org      2
> tapestry.apache.org     6
> tika.apache.org         9
> tiles.apache.org        12
> turbine.apache.org      100
> tuscany.apache.org      4
> uima.apache.org         12
> velocity.apache.org     41
> whirr.apache.org        2
> wicket.apache.org       3
> wink.apache.org         13
> ws.apache.org           22
> xalan.apache.org        1
> xerces.apache.org       5
> xml.apache.org          1
> xmlbeans.apache.org     3
> zookeeper.apache.org    18
>
> ****
>
>
>
>
> --
> Albert Lee. ****
>
>
>
> --
> Albert Lee.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message