openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Albert Lee <allee8...@gmail.com>
Subject Fwd: [SECURITY] Frame injection vulnerability in published Javadoc
Date Fri, 21 Jun 2013 18:46:52 GMT
I have updated all (17 instances) the javadoc with the prescribed patch
that are published in the OpenJPA home site. The remaining are generated in
daily doc build by the BuildBot process. Infrastructure team confirmed they
have updated the JDK on those build systems.  The OpenJPA Javadoc will be
built with proper doc generation next time BuildBot kicks in.

Regards,
Albert Lee.

---------- Forwarded message ----------
From: Gavin McDonald <gavin@16degrees.com.au>
Date: Thu, Jun 20, 2013 at 8:11 PM
Subject: RE: [SECURITY] Frame injection vulnerability in published Javadoc
To: Albert Lee <allee8285@gmail.com>, infrastructure@apache.org


Yep,****

** **

I’ve gone through and patched the already published javadocs for all
projects on buildbot master, then backtraced to the affected host slaves
that built them and upgraded those.****

As all projects do a clobber before re-publishing javadocs I think we are
fine going forwards.****

** **

Gav…****

** **

** **

*From:* Albert Lee [mailto:allee8285@gmail.com]
*Sent:* Friday, 21 June 2013 2:47 AM
*To:* infrastructure@apache.org
*Subject:* Fwd: [SECURITY] Frame injection vulnerability in published
Javadoc****

** **

OpenJPA uses buildbot to generate JavaDoc on a daily basis.  ****

I assume the JDK used in the buildbot systems have the appropriate JDK
updated to prevent this vulnerability.  ****

Please confirm.****

Thanks,
Albert Lee.****

** **

---------- Forwarded message ----------
From: *Mark Thomas* <markt@apache.org>
Date: Thu, Jun 20, 2013 at 3:29 AM
Subject: [SECURITY] Frame injection vulnerability in published Javadoc
To: committers@apache.org
Cc: root@apache.org


Hi All,

Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
generated by Java 5, Java 6 and Java 7 before update 22.

The infrastructure team has completed a scan of our current project
websites and identified over 6000 instances of vulnerable Javadoc
distributed across most TLPs. The chances are the project(s) you
contribute to is(are) affected. A list of projects and the number of
affected Javadoc instances per project is provided at the end of this
e-mail.

Please take the necessary steps to fix any currently published Javadoc
and to ensure that any future Javadoc published by your project does not
contain the vulnerability. The announcement by Oracle includes a link to
a tool that can be used to fix Javadoc without regeneration.

The infrastructure team is investigating options for preventing the
publication of vulnerable Javadoc.

The issue is public and may be discussed freely on your project's dev list.

Thanks,

Mark (ASF Infra)



[1]
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
[2] http://www.kb.cert.org/vuls/id/225657

Project                 Instances
abdera.apache.org       1
accumulo.apache.org     2
activemq.apache.org     105
any23.apache.org        13
archiva.apache.org      4
archive.apache.org      13
aries.apache.org        7
avro.apache.org         23
axis.apache.org         5
beehive.apache.org      16
bval.apache.org         12
camel.apache.org        786
cayenne.apache.org      4
chemistry.apache.org    6
click.apache.org        3
cocoon.apache.org       6
commons.apache.org      34
continuum.apache.org    9
creadur.apache.org      19
crunch.apache.org       4
ctakes.apache.org       2
curator.apache.org      4
cxf.apache.org          6
db.apache.org           39
directory.apache.org    4
empire-db.apache.org    1
felix.apache.org        5
flume.apache.org        5
geronimo.apache.org     241
giraph.apache.org       6
gora.apache.org         3
hadoop.apache.org       21
hbase.apache.org        2
hive.apache.org         4
hivemind.apache.org     10
incubator.apache.org    355
jackrabbit.apache.org   9
jakarta.apache.org      39
james.apache.org        53
jena.apache.org         5
juddi.apache.org        3
lenya.apache.org        46
logging.apache.org      111
lucene.apache.org       713
manifoldcf.apache.org   112
marmotta.apache.org     1
maven.apache.org        1623
maventest.apache.org    1178
mina.apache.org         2
mrunit.apache.org       3
myfaces.apache.org      348
nutch.apache.org        8
oltu.apache.org         11
oodt.apache.org         1
ooo-site.apache.org     1
oozie.apache.org        10
openjpa.apache.org      20
opennlp.apache.org      9
pdfbox.apache.org       1
pig.apache.org          7
pivot.apache.org        1
poi.apache.org          1
portals.apache.org      35
river.apache.org        2
santuario.apache.org    1
shale.apache.org        55
shiro.apache.org        3
sling.apache.org        2
sqoop.apache.org        4
struts.apache.org       190
subversion.apache.org   3
synapse.apache.org      1
syncope.apache.org      2
tapestry.apache.org     6
tika.apache.org         9
tiles.apache.org        12
turbine.apache.org      100
tuscany.apache.org      4
uima.apache.org         12
velocity.apache.org     41
whirr.apache.org        2
wicket.apache.org       3
wink.apache.org         13
ws.apache.org           22
xalan.apache.org        1
xerces.apache.org       5
xml.apache.org          1
xmlbeans.apache.org     3
zookeeper.apache.org    18

****




-- 
Albert Lee. ****



-- 
Albert Lee.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message