www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergio Fernández <sergio.fernan...@salzburgresearch.at>
Subject Re: [SECURITY] Frame injection vulnerability in published Javadoc
Date Mon, 24 Jun 2013 09:53:15 GMT
Thanks Uwe for the hints.

We tried to force java7 from the pom, but the site plugins looks to 
ignore the regular settings source code, at least there, because I can 
see in the source code of generated javadoc:

Generated by javadoc (build 1.6.0_32) on Sun Jun 23 16:32:14 UTC 2013

AFAIK maven looks the javadoc binary from the JAVA_HOME; how could I 
check with value is taking there? Because this could be the quickest 
solution, meanwhile MJAVADOC-370 is solved.

Cheers,



On 23/06/13 18:57, Uwe Schindler wrote:
> The Maven issue is here: https://jira.codehaus.org/browse/MJAVADOC-370
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
>> -----Original Message-----
>> From: Uwe Schindler [mailto:uwe@thetaphi.de]
>> Sent: Sunday, June 23, 2013 6:55 PM
>> To: builds@apache.org
>> Subject: RE: [SECURITY] Frame injection vulnerability in published Javadoc
>>
>> Hi,
>>
>> once Lucene's bug is commited (see
>> https://issues.apache.org/jira/browse/LUCENE-5072), we have no problem
>> anymore. For Maven-builds there is already an issue open on the javadoc
>> plugin to implement fixing directly inside the javadoc plugin. I contributed a
>> patch there already.
>>
>> The big issue is: We can only fix Jenkins to create correct Javadocs on Java 7
>> build, but Java 6 and Java 5 builds have no recent JDK available that fixes the
>> build (except Apple JDK 6 - argh!). The only way is to fix the build in the
>> projects to post-process javadocs after generating them. The issue could be
>> solved for Maven projects by a plugin upgrade once it is released and for ANT
>> project using the snippet here: http://goo.gl/dq3LJ
>>
>> Uwe
>>
>> -----
>> Uwe Schindler
>> H.-H.-Meier-Allee 63, D-28213 Bremen
>> http://www.thetaphi.de
>> eMail: uwe@thetaphi.de
>>
>>
>>> -----Original Message-----
>>> From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
>>> Sent: Sunday, June 23, 2013 6:31 PM
>>> To: builds@apache.org
>>> Subject: Fwd: [SECURITY] Frame injection vulnerability in published
>>> Javadoc
>>>
>>> Hi,
>>>
>>> regarding the security issue forwarded, I'd like to ask how a project
>>> using
>>> buildbot+maven should proceed.
>>>
>>> I've just update marmotta staging site, but the generated javadoc
>>> there still contains the buggy code:
>>>
>>> http://marmotta.staging.apache.org/apidocs/index.html
>>>
>>> Thanks in advance for any clue.
>>>
>>> Cheers,
>>>
>>>
>>>
>>> -------- Original Message --------
>>> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
>>> Date: Thu, 20 Jun 2013 09:29:23 +0100
>>> From: Mark Thomas <markt@apache.org>
>>> Reply-To: infrastructure@apache.org <infrastructure@apache.org>
>>> To: committers@apache.org
>>> CC: root@apache.org
>>>
>>> Hi All,
>>>
>>> Oracle has announced [1], [2] a frame injection vulnerability in
>>> Javadoc generated by Java 5, Java 6 and Java 7 before update 22.
>>>
>>> The infrastructure team has completed a scan of our current project
>>> websites and identified over 6000 instances of vulnerable Javadoc
>>> distributed across most TLPs. The chances are the project(s) you
>>> contribute to is(are) affected. A list of projects and the number of
>>> affected Javadoc instances per project is provided at the end of this e-mail.
>>>
>>> Please take the necessary steps to fix any currently published Javadoc
>>> and to ensure that any future Javadoc published by your project does
>>> not contain the vulnerability. The announcement by Oracle includes a
>>> link to a tool that can be used to fix Javadoc without regeneration.
>>>
>>> The infrastructure team is investigating options for preventing the
>>> publication of vulnerable Javadoc.
>>>
>>> The issue is public and may be discussed freely on your project's dev list.
>>>
>>> Thanks,
>>>
>>> Mark (ASF Infra)
>>>
>>>
>>>
>>> [1]
>>> http://www.oracle.com/technetwork/topics/security/javacpujun2013-
>>> 1899847.html
>>> [2] http://www.kb.cert.org/vuls/id/225657
>>>
>>> Project			Instances
>>> abdera.apache.org	1
>>> accumulo.apache.org	2
>>> activemq.apache.org	105
>>> any23.apache.org	13
>>> archiva.apache.org	4
>>> archive.apache.org	13
>>> aries.apache.org	7
>>> avro.apache.org		23
>>> axis.apache.org		5
>>> beehive.apache.org	16
>>> bval.apache.org		12
>>> camel.apache.org	786
>>> cayenne.apache.org	4
>>> chemistry.apache.org	6
>>> click.apache.org	3
>>> cocoon.apache.org	6
>>> commons.apache.org	34
>>> continuum.apache.org	9
>>> creadur.apache.org	19
>>> crunch.apache.org	4
>>> ctakes.apache.org	2
>>> curator.apache.org	4
>>> cxf.apache.org		6
>>> db.apache.org		39
>>> directory.apache.org	4
>>> empire-db.apache.org	1
>>> felix.apache.org	5
>>> flume.apache.org	5
>>> geronimo.apache.org	241
>>> giraph.apache.org	6
>>> gora.apache.org		3
>>> hadoop.apache.org	21
>>> hbase.apache.org	2
>>> hive.apache.org		4
>>> hivemind.apache.org	10
>>> incubator.apache.org	355
>>> jackrabbit.apache.org	9
>>> jakarta.apache.org	39
>>> james.apache.org	53
>>> jena.apache.org		5
>>> juddi.apache.org	3
>>> lenya.apache.org	46
>>> logging.apache.org	111
>>> lucene.apache.org	713
>>> manifoldcf.apache.org	112
>>> marmotta.apache.org	1
>>> maven.apache.org	1623
>>> maventest.apache.org	1178
>>> mina.apache.org		2
>>> mrunit.apache.org	3
>>> myfaces.apache.org	348
>>> nutch.apache.org	8
>>> oltu.apache.org		11
>>> oodt.apache.org		1
>>> ooo-site.apache.org	1
>>> oozie.apache.org	10
>>> openjpa.apache.org	20
>>> opennlp.apache.org	9
>>> pdfbox.apache.org	1
>>> pig.apache.org		7
>>> pivot.apache.org	1
>>> poi.apache.org		1
>>> portals.apache.org	35
>>> river.apache.org	2
>>> santuario.apache.org	1
>>> shale.apache.org	55
>>> shiro.apache.org	3
>>> sling.apache.org	2
>>> sqoop.apache.org	4
>>> struts.apache.org	190
>>> subversion.apache.org	3
>>> synapse.apache.org	1
>>> syncope.apache.org	2
>>> tapestry.apache.org	6
>>> tika.apache.org		9
>>> tiles.apache.org	12
>>> turbine.apache.org	100
>>> tuscany.apache.org	4
>>> uima.apache.org		12
>>> velocity.apache.org	41
>>> whirr.apache.org	2
>>> wicket.apache.org	3
>>> wink.apache.org		13
>>> ws.apache.org		22
>>> xalan.apache.org	1
>>> xerces.apache.org	5
>>> xml.apache.org		1
>>> xmlbeans.apache.org	3
>>> zookeeper.apache.org	18
>>>
>>>
>>>
>>> --
>>> Sergio Fernández
>>> Salzburg Research
>>> +43 662 2288 318
>>> Jakob-Haringer Strasse 5/II
>>> A-5020 Salzburg (Austria)
>>> http://www.salzburgresearch.at
>
>

-- 
Sergio Fernández
Salzburg Research
+43 662 2288 318
Jakob-Haringer Strasse 5/II
A-5020 Salzburg (Austria)
http://www.salzburgresearch.at

Mime
View raw message