www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler" <...@thetaphi.de>
Subject RE: [SECURITY] Frame injection vulnerability in published Javadoc
Date Sun, 23 Jun 2013 16:55:18 GMT
Hi,

once Lucene's bug is commited (see https://issues.apache.org/jira/browse/LUCENE-5072), we
have no problem anymore. For Maven-builds there is already an issue open on the javadoc plugin
to implement fixing directly inside the javadoc plugin. I contributed a patch there already.

The big issue is: We can only fix Jenkins to create correct Javadocs on Java 7 build, but
Java 6 and Java 5 builds have no recent JDK available that fixes the build (except Apple JDK
6 - argh!). The only way is to fix the build in the projects to post-process javadocs after
generating them. The issue could be solved for Maven projects by a plugin upgrade once it
is released and for ANT project using the snippet here: http://goo.gl/dq3LJ

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de


> -----Original Message-----
> From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
> Sent: Sunday, June 23, 2013 6:31 PM
> To: builds@apache.org
> Subject: Fwd: [SECURITY] Frame injection vulnerability in published Javadoc
> 
> Hi,
> 
> regarding the security issue forwarded, I'd like to ask how a project using
> buildbot+maven should proceed.
> 
> I've just update marmotta staging site, but the generated javadoc there still
> contains the buggy code:
> 
> http://marmotta.staging.apache.org/apidocs/index.html
> 
> Thanks in advance for any clue.
> 
> Cheers,
> 
> 
> 
> -------- Original Message --------
> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> Date: Thu, 20 Jun 2013 09:29:23 +0100
> From: Mark Thomas <markt@apache.org>
> Reply-To: infrastructure@apache.org <infrastructure@apache.org>
> To: committers@apache.org
> CC: root@apache.org
> 
> Hi All,
> 
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
> 
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc distributed
> across most TLPs. The chances are the project(s) you contribute to is(are)
> affected. A list of projects and the number of affected Javadoc instances per
> project is provided at the end of this e-mail.
> 
> Please take the necessary steps to fix any currently published Javadoc and to
> ensure that any future Javadoc published by your project does not contain
> the vulnerability. The announcement by Oracle includes a link to a tool that
> can be used to fix Javadoc without regeneration.
> 
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
> 
> The issue is public and may be discussed freely on your project's dev list.
> 
> Thanks,
> 
> Mark (ASF Infra)
> 
> 
> 
> [1]
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-
> 1899847.html
> [2] http://www.kb.cert.org/vuls/id/225657
> 
> Project			Instances
> abdera.apache.org	1
> accumulo.apache.org	2
> activemq.apache.org	105
> any23.apache.org	13
> archiva.apache.org	4
> archive.apache.org	13
> aries.apache.org	7
> avro.apache.org		23
> axis.apache.org		5
> beehive.apache.org	16
> bval.apache.org		12
> camel.apache.org	786
> cayenne.apache.org	4
> chemistry.apache.org	6
> click.apache.org	3
> cocoon.apache.org	6
> commons.apache.org	34
> continuum.apache.org	9
> creadur.apache.org	19
> crunch.apache.org	4
> ctakes.apache.org	2
> curator.apache.org	4
> cxf.apache.org		6
> db.apache.org		39
> directory.apache.org	4
> empire-db.apache.org	1
> felix.apache.org	5
> flume.apache.org	5
> geronimo.apache.org	241
> giraph.apache.org	6
> gora.apache.org		3
> hadoop.apache.org	21
> hbase.apache.org	2
> hive.apache.org		4
> hivemind.apache.org	10
> incubator.apache.org	355
> jackrabbit.apache.org	9
> jakarta.apache.org	39
> james.apache.org	53
> jena.apache.org		5
> juddi.apache.org	3
> lenya.apache.org	46
> logging.apache.org	111
> lucene.apache.org	713
> manifoldcf.apache.org	112
> marmotta.apache.org	1
> maven.apache.org	1623
> maventest.apache.org	1178
> mina.apache.org		2
> mrunit.apache.org	3
> myfaces.apache.org	348
> nutch.apache.org	8
> oltu.apache.org		11
> oodt.apache.org		1
> ooo-site.apache.org	1
> oozie.apache.org	10
> openjpa.apache.org	20
> opennlp.apache.org	9
> pdfbox.apache.org	1
> pig.apache.org		7
> pivot.apache.org	1
> poi.apache.org		1
> portals.apache.org	35
> river.apache.org	2
> santuario.apache.org	1
> shale.apache.org	55
> shiro.apache.org	3
> sling.apache.org	2
> sqoop.apache.org	4
> struts.apache.org	190
> subversion.apache.org	3
> synapse.apache.org	1
> syncope.apache.org	2
> tapestry.apache.org	6
> tika.apache.org		9
> tiles.apache.org	12
> turbine.apache.org	100
> tuscany.apache.org	4
> uima.apache.org		12
> velocity.apache.org	41
> whirr.apache.org	2
> wicket.apache.org	3
> wink.apache.org		13
> ws.apache.org		22
> xalan.apache.org	1
> xerces.apache.org	5
> xml.apache.org		1
> xmlbeans.apache.org	3
> zookeeper.apache.org	18
> 
> 
> 
> --
> Sergio Fernández
> Salzburg Research
> +43 662 2288 318
> Jakob-Haringer Strasse 5/II
> A-5020 Salzburg (Austria)
> http://www.salzburgresearch.at



Mime
View raw message