www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler" <...@thetaphi.de>
Subject RE: [SECURITY] Frame injection vulnerability in published Javadoc
Date Sun, 23 Jun 2013 16:57:12 GMT
The Maven issue is here: https://jira.codehaus.org/browse/MJAVADOC-370

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de


> -----Original Message-----
> From: Uwe Schindler [mailto:uwe@thetaphi.de]
> Sent: Sunday, June 23, 2013 6:55 PM
> To: builds@apache.org
> Subject: RE: [SECURITY] Frame injection vulnerability in published Javadoc
> 
> Hi,
> 
> once Lucene's bug is commited (see
> https://issues.apache.org/jira/browse/LUCENE-5072), we have no problem
> anymore. For Maven-builds there is already an issue open on the javadoc
> plugin to implement fixing directly inside the javadoc plugin. I contributed a
> patch there already.
> 
> The big issue is: We can only fix Jenkins to create correct Javadocs on Java 7
> build, but Java 6 and Java 5 builds have no recent JDK available that fixes the
> build (except Apple JDK 6 - argh!). The only way is to fix the build in the
> projects to post-process javadocs after generating them. The issue could be
> solved for Maven projects by a plugin upgrade once it is released and for ANT
> project using the snippet here: http://goo.gl/dq3LJ
> 
> Uwe
> 
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
> 
> 
> > -----Original Message-----
> > From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
> > Sent: Sunday, June 23, 2013 6:31 PM
> > To: builds@apache.org
> > Subject: Fwd: [SECURITY] Frame injection vulnerability in published
> > Javadoc
> >
> > Hi,
> >
> > regarding the security issue forwarded, I'd like to ask how a project
> > using
> > buildbot+maven should proceed.
> >
> > I've just update marmotta staging site, but the generated javadoc
> > there still contains the buggy code:
> >
> > http://marmotta.staging.apache.org/apidocs/index.html
> >
> > Thanks in advance for any clue.
> >
> > Cheers,
> >
> >
> >
> > -------- Original Message --------
> > Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> > Date: Thu, 20 Jun 2013 09:29:23 +0100
> > From: Mark Thomas <markt@apache.org>
> > Reply-To: infrastructure@apache.org <infrastructure@apache.org>
> > To: committers@apache.org
> > CC: root@apache.org
> >
> > Hi All,
> >
> > Oracle has announced [1], [2] a frame injection vulnerability in
> > Javadoc generated by Java 5, Java 6 and Java 7 before update 22.
> >
> > The infrastructure team has completed a scan of our current project
> > websites and identified over 6000 instances of vulnerable Javadoc
> > distributed across most TLPs. The chances are the project(s) you
> > contribute to is(are) affected. A list of projects and the number of
> > affected Javadoc instances per project is provided at the end of this e-mail.
> >
> > Please take the necessary steps to fix any currently published Javadoc
> > and to ensure that any future Javadoc published by your project does
> > not contain the vulnerability. The announcement by Oracle includes a
> > link to a tool that can be used to fix Javadoc without regeneration.
> >
> > The infrastructure team is investigating options for preventing the
> > publication of vulnerable Javadoc.
> >
> > The issue is public and may be discussed freely on your project's dev list.
> >
> > Thanks,
> >
> > Mark (ASF Infra)
> >
> >
> >
> > [1]
> > http://www.oracle.com/technetwork/topics/security/javacpujun2013-
> > 1899847.html
> > [2] http://www.kb.cert.org/vuls/id/225657
> >
> > Project			Instances
> > abdera.apache.org	1
> > accumulo.apache.org	2
> > activemq.apache.org	105
> > any23.apache.org	13
> > archiva.apache.org	4
> > archive.apache.org	13
> > aries.apache.org	7
> > avro.apache.org		23
> > axis.apache.org		5
> > beehive.apache.org	16
> > bval.apache.org		12
> > camel.apache.org	786
> > cayenne.apache.org	4
> > chemistry.apache.org	6
> > click.apache.org	3
> > cocoon.apache.org	6
> > commons.apache.org	34
> > continuum.apache.org	9
> > creadur.apache.org	19
> > crunch.apache.org	4
> > ctakes.apache.org	2
> > curator.apache.org	4
> > cxf.apache.org		6
> > db.apache.org		39
> > directory.apache.org	4
> > empire-db.apache.org	1
> > felix.apache.org	5
> > flume.apache.org	5
> > geronimo.apache.org	241
> > giraph.apache.org	6
> > gora.apache.org		3
> > hadoop.apache.org	21
> > hbase.apache.org	2
> > hive.apache.org		4
> > hivemind.apache.org	10
> > incubator.apache.org	355
> > jackrabbit.apache.org	9
> > jakarta.apache.org	39
> > james.apache.org	53
> > jena.apache.org		5
> > juddi.apache.org	3
> > lenya.apache.org	46
> > logging.apache.org	111
> > lucene.apache.org	713
> > manifoldcf.apache.org	112
> > marmotta.apache.org	1
> > maven.apache.org	1623
> > maventest.apache.org	1178
> > mina.apache.org		2
> > mrunit.apache.org	3
> > myfaces.apache.org	348
> > nutch.apache.org	8
> > oltu.apache.org		11
> > oodt.apache.org		1
> > ooo-site.apache.org	1
> > oozie.apache.org	10
> > openjpa.apache.org	20
> > opennlp.apache.org	9
> > pdfbox.apache.org	1
> > pig.apache.org		7
> > pivot.apache.org	1
> > poi.apache.org		1
> > portals.apache.org	35
> > river.apache.org	2
> > santuario.apache.org	1
> > shale.apache.org	55
> > shiro.apache.org	3
> > sling.apache.org	2
> > sqoop.apache.org	4
> > struts.apache.org	190
> > subversion.apache.org	3
> > synapse.apache.org	1
> > syncope.apache.org	2
> > tapestry.apache.org	6
> > tika.apache.org		9
> > tiles.apache.org	12
> > turbine.apache.org	100
> > tuscany.apache.org	4
> > uima.apache.org		12
> > velocity.apache.org	41
> > whirr.apache.org	2
> > wicket.apache.org	3
> > wink.apache.org		13
> > ws.apache.org		22
> > xalan.apache.org	1
> > xerces.apache.org	5
> > xml.apache.org		1
> > xmlbeans.apache.org	3
> > zookeeper.apache.org	18
> >
> >
> >
> > --
> > Sergio Fernández
> > Salzburg Research
> > +43 662 2288 318
> > Jakob-Haringer Strasse 5/II
> > A-5020 Salzburg (Austria)
> > http://www.salzburgresearch.at



Mime
View raw message