www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler" <...@thetaphi.de>
Subject RE: [SECURITY] Frame injection vulnerability in published Javadoc
Date Mon, 24 Jun 2013 10:12:37 GMT
Hi,

A possible solution for Maven until MJAVADOC-370 is part of an official release may be to
use my ANT task using the ANTrunner plugin in Maven:
http://maven.apache.org/plugins/maven-antrun-plugin/
Just call my Lucene ANT macro from there, parametrizing the dir= and encoding= from maven
properties.

> Generated by javadoc (build 1.6.0_32) on Sun Jun 23 16:32:14 UTC 2013

This comes from JAVA_HOME, so you could grep on that an fail the build...

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de


> -----Original Message-----
> From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
> Sent: Monday, June 24, 2013 11:53 AM
> To: builds@apache.org
> Cc: Uwe Schindler
> Subject: Re: [SECURITY] Frame injection vulnerability in published Javadoc
> 
> Thanks Uwe for the hints.
> 
> We tried to force java7 from the pom, but the site plugins looks to ignore the
> regular settings source code, at least there, because I can see in the source
> code of generated javadoc:
> 
> Generated by javadoc (build 1.6.0_32) on Sun Jun 23 16:32:14 UTC 2013
> 
> AFAIK maven looks the javadoc binary from the JAVA_HOME; how could I
> check with value is taking there? Because this could be the quickest solution,
> meanwhile MJAVADOC-370 is solved.
> 
> Cheers,
> 
> 
> 
> On 23/06/13 18:57, Uwe Schindler wrote:
> > The Maven issue is here: https://jira.codehaus.org/browse/MJAVADOC-
> 370
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe@thetaphi.de
> >
> >
> >> -----Original Message-----
> >> From: Uwe Schindler [mailto:uwe@thetaphi.de]
> >> Sent: Sunday, June 23, 2013 6:55 PM
> >> To: builds@apache.org
> >> Subject: RE: [SECURITY] Frame injection vulnerability in published
> >> Javadoc
> >>
> >> Hi,
> >>
> >> once Lucene's bug is commited (see
> >> https://issues.apache.org/jira/browse/LUCENE-5072), we have no
> >> problem anymore. For Maven-builds there is already an issue open on
> >> the javadoc plugin to implement fixing directly inside the javadoc
> >> plugin. I contributed a patch there already.
> >>
> >> The big issue is: We can only fix Jenkins to create correct Javadocs
> >> on Java 7 build, but Java 6 and Java 5 builds have no recent JDK
> >> available that fixes the build (except Apple JDK 6 - argh!). The only
> >> way is to fix the build in the projects to post-process javadocs
> >> after generating them. The issue could be solved for Maven projects
> >> by a plugin upgrade once it is released and for ANT project using the
> >> snippet here: http://goo.gl/dq3LJ
> >>
> >> Uwe
> >>
> >> -----
> >> Uwe Schindler
> >> H.-H.-Meier-Allee 63, D-28213 Bremen
> >> http://www.thetaphi.de
> >> eMail: uwe@thetaphi.de
> >>
> >>
> >>> -----Original Message-----
> >>> From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
> >>> Sent: Sunday, June 23, 2013 6:31 PM
> >>> To: builds@apache.org
> >>> Subject: Fwd: [SECURITY] Frame injection vulnerability in published
> >>> Javadoc
> >>>
> >>> Hi,
> >>>
> >>> regarding the security issue forwarded, I'd like to ask how a
> >>> project using
> >>> buildbot+maven should proceed.
> >>>
> >>> I've just update marmotta staging site, but the generated javadoc
> >>> there still contains the buggy code:
> >>>
> >>> http://marmotta.staging.apache.org/apidocs/index.html
> >>>
> >>> Thanks in advance for any clue.
> >>>
> >>> Cheers,
> >>>
> >>>
> >>>
> >>> -------- Original Message --------
> >>> Subject: [SECURITY] Frame injection vulnerability in published
> >>> Javadoc
> >>> Date: Thu, 20 Jun 2013 09:29:23 +0100
> >>> From: Mark Thomas <markt@apache.org>
> >>> Reply-To: infrastructure@apache.org <infrastructure@apache.org>
> >>> To: committers@apache.org
> >>> CC: root@apache.org
> >>>
> >>> Hi All,
> >>>
> >>> Oracle has announced [1], [2] a frame injection vulnerability in
> >>> Javadoc generated by Java 5, Java 6 and Java 7 before update 22.
> >>>
> >>> The infrastructure team has completed a scan of our current project
> >>> websites and identified over 6000 instances of vulnerable Javadoc
> >>> distributed across most TLPs. The chances are the project(s) you
> >>> contribute to is(are) affected. A list of projects and the number of
> >>> affected Javadoc instances per project is provided at the end of this e-
> mail.
> >>>
> >>> Please take the necessary steps to fix any currently published
> >>> Javadoc and to ensure that any future Javadoc published by your
> >>> project does not contain the vulnerability. The announcement by
> >>> Oracle includes a link to a tool that can be used to fix Javadoc without
> regeneration.
> >>>
> >>> The infrastructure team is investigating options for preventing the
> >>> publication of vulnerable Javadoc.
> >>>
> >>> The issue is public and may be discussed freely on your project's dev list.
> >>>
> >>> Thanks,
> >>>
> >>> Mark (ASF Infra)
> >>>
> >>>
> >>>
> >>> [1]
> >>> http://www.oracle.com/technetwork/topics/security/javacpujun2013-
> >>> 1899847.html
> >>> [2] http://www.kb.cert.org/vuls/id/225657
> >>>
> >>> Project			Instances
> >>> abdera.apache.org	1
> >>> accumulo.apache.org	2
> >>> activemq.apache.org	105
> >>> any23.apache.org	13
> >>> archiva.apache.org	4
> >>> archive.apache.org	13
> >>> aries.apache.org	7
> >>> avro.apache.org		23
> >>> axis.apache.org		5
> >>> beehive.apache.org	16
> >>> bval.apache.org		12
> >>> camel.apache.org	786
> >>> cayenne.apache.org	4
> >>> chemistry.apache.org	6
> >>> click.apache.org	3
> >>> cocoon.apache.org	6
> >>> commons.apache.org	34
> >>> continuum.apache.org	9
> >>> creadur.apache.org	19
> >>> crunch.apache.org	4
> >>> ctakes.apache.org	2
> >>> curator.apache.org	4
> >>> cxf.apache.org		6
> >>> db.apache.org		39
> >>> directory.apache.org	4
> >>> empire-db.apache.org	1
> >>> felix.apache.org	5
> >>> flume.apache.org	5
> >>> geronimo.apache.org	241
> >>> giraph.apache.org	6
> >>> gora.apache.org		3
> >>> hadoop.apache.org	21
> >>> hbase.apache.org	2
> >>> hive.apache.org		4
> >>> hivemind.apache.org	10
> >>> incubator.apache.org	355
> >>> jackrabbit.apache.org	9
> >>> jakarta.apache.org	39
> >>> james.apache.org	53
> >>> jena.apache.org		5
> >>> juddi.apache.org	3
> >>> lenya.apache.org	46
> >>> logging.apache.org	111
> >>> lucene.apache.org	713
> >>> manifoldcf.apache.org	112
> >>> marmotta.apache.org	1
> >>> maven.apache.org	1623
> >>> maventest.apache.org	1178
> >>> mina.apache.org		2
> >>> mrunit.apache.org	3
> >>> myfaces.apache.org	348
> >>> nutch.apache.org	8
> >>> oltu.apache.org		11
> >>> oodt.apache.org		1
> >>> ooo-site.apache.org	1
> >>> oozie.apache.org	10
> >>> openjpa.apache.org	20
> >>> opennlp.apache.org	9
> >>> pdfbox.apache.org	1
> >>> pig.apache.org		7
> >>> pivot.apache.org	1
> >>> poi.apache.org		1
> >>> portals.apache.org	35
> >>> river.apache.org	2
> >>> santuario.apache.org	1
> >>> shale.apache.org	55
> >>> shiro.apache.org	3
> >>> sling.apache.org	2
> >>> sqoop.apache.org	4
> >>> struts.apache.org	190
> >>> subversion.apache.org	3
> >>> synapse.apache.org	1
> >>> syncope.apache.org	2
> >>> tapestry.apache.org	6
> >>> tika.apache.org		9
> >>> tiles.apache.org	12
> >>> turbine.apache.org	100
> >>> tuscany.apache.org	4
> >>> uima.apache.org		12
> >>> velocity.apache.org	41
> >>> whirr.apache.org	2
> >>> wicket.apache.org	3
> >>> wink.apache.org		13
> >>> ws.apache.org		22
> >>> xalan.apache.org	1
> >>> xerces.apache.org	5
> >>> xml.apache.org		1
> >>> xmlbeans.apache.org	3
> >>> zookeeper.apache.org	18
> >>>
> >>>
> >>>
> >>> --
> >>> Sergio Fernández
> >>> Salzburg Research
> >>> +43 662 2288 318
> >>> Jakob-Haringer Strasse 5/II
> >>> A-5020 Salzburg (Austria)
> >>> http://www.salzburgresearch.at
> >
> >
> 
> --
> Sergio Fernández
> Salzburg Research
> +43 662 2288 318
> Jakob-Haringer Strasse 5/II
> A-5020 Salzburg (Austria)
> http://www.salzburgresearch.at


Mime
View raw message