www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergio Fernández <sergio.fernan...@salzburgresearch.at>
Subject Re: [SECURITY] Frame injection vulnerability in published Javadoc
Date Mon, 01 Jul 2013 10:21:11 GMT
confirmed that maven-javadoc-plugin:2.9.1 solves the issue
see MARMOTTA-263 for further details

On 24/06/13 12:12, Uwe Schindler wrote:
> Hi,
>
> A possible solution for Maven until MJAVADOC-370 is part of an official release may be
to use my ANT task using the ANTrunner plugin in Maven:
> http://maven.apache.org/plugins/maven-antrun-plugin/
> Just call my Lucene ANT macro from there, parametrizing the dir= and encoding= from maven
properties.
>
>> Generated by javadoc (build 1.6.0_32) on Sun Jun 23 16:32:14 UTC 2013
>
> This comes from JAVA_HOME, so you could grep on that an fail the build...
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
>> -----Original Message-----
>> From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
>> Sent: Monday, June 24, 2013 11:53 AM
>> To: builds@apache.org
>> Cc: Uwe Schindler
>> Subject: Re: [SECURITY] Frame injection vulnerability in published Javadoc
>>
>> Thanks Uwe for the hints.
>>
>> We tried to force java7 from the pom, but the site plugins looks to ignore the
>> regular settings source code, at least there, because I can see in the source
>> code of generated javadoc:
>>
>> Generated by javadoc (build 1.6.0_32) on Sun Jun 23 16:32:14 UTC 2013
>>
>> AFAIK maven looks the javadoc binary from the JAVA_HOME; how could I
>> check with value is taking there? Because this could be the quickest solution,
>> meanwhile MJAVADOC-370 is solved.
>>
>> Cheers,
>>
>>
>>
>> On 23/06/13 18:57, Uwe Schindler wrote:
>>> The Maven issue is here: https://jira.codehaus.org/browse/MJAVADOC-
>> 370
>>>
>>> -----
>>> Uwe Schindler
>>> H.-H.-Meier-Allee 63, D-28213 Bremen
>>> http://www.thetaphi.de
>>> eMail: uwe@thetaphi.de
>>>
>>>
>>>> -----Original Message-----
>>>> From: Uwe Schindler [mailto:uwe@thetaphi.de]
>>>> Sent: Sunday, June 23, 2013 6:55 PM
>>>> To: builds@apache.org
>>>> Subject: RE: [SECURITY] Frame injection vulnerability in published
>>>> Javadoc
>>>>
>>>> Hi,
>>>>
>>>> once Lucene's bug is commited (see
>>>> https://issues.apache.org/jira/browse/LUCENE-5072), we have no
>>>> problem anymore. For Maven-builds there is already an issue open on
>>>> the javadoc plugin to implement fixing directly inside the javadoc
>>>> plugin. I contributed a patch there already.
>>>>
>>>> The big issue is: We can only fix Jenkins to create correct Javadocs
>>>> on Java 7 build, but Java 6 and Java 5 builds have no recent JDK
>>>> available that fixes the build (except Apple JDK 6 - argh!). The only
>>>> way is to fix the build in the projects to post-process javadocs
>>>> after generating them. The issue could be solved for Maven projects
>>>> by a plugin upgrade once it is released and for ANT project using the
>>>> snippet here: http://goo.gl/dq3LJ
>>>>
>>>> Uwe
>>>>
>>>> -----
>>>> Uwe Schindler
>>>> H.-H.-Meier-Allee 63, D-28213 Bremen
>>>> http://www.thetaphi.de
>>>> eMail: uwe@thetaphi.de
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
>>>>> Sent: Sunday, June 23, 2013 6:31 PM
>>>>> To: builds@apache.org
>>>>> Subject: Fwd: [SECURITY] Frame injection vulnerability in published
>>>>> Javadoc
>>>>>
>>>>> Hi,
>>>>>
>>>>> regarding the security issue forwarded, I'd like to ask how a
>>>>> project using
>>>>> buildbot+maven should proceed.
>>>>>
>>>>> I've just update marmotta staging site, but the generated javadoc
>>>>> there still contains the buggy code:
>>>>>
>>>>> http://marmotta.staging.apache.org/apidocs/index.html
>>>>>
>>>>> Thanks in advance for any clue.
>>>>>
>>>>> Cheers,
>>>>>
>>>>>
>>>>>
>>>>> -------- Original Message --------
>>>>> Subject: [SECURITY] Frame injection vulnerability in published
>>>>> Javadoc
>>>>> Date: Thu, 20 Jun 2013 09:29:23 +0100
>>>>> From: Mark Thomas <markt@apache.org>
>>>>> Reply-To: infrastructure@apache.org <infrastructure@apache.org>
>>>>> To: committers@apache.org
>>>>> CC: root@apache.org
>>>>>
>>>>> Hi All,
>>>>>
>>>>> Oracle has announced [1], [2] a frame injection vulnerability in
>>>>> Javadoc generated by Java 5, Java 6 and Java 7 before update 22.
>>>>>
>>>>> The infrastructure team has completed a scan of our current project
>>>>> websites and identified over 6000 instances of vulnerable Javadoc
>>>>> distributed across most TLPs. The chances are the project(s) you
>>>>> contribute to is(are) affected. A list of projects and the number of
>>>>> affected Javadoc instances per project is provided at the end of this
e-
>> mail.
>>>>>
>>>>> Please take the necessary steps to fix any currently published
>>>>> Javadoc and to ensure that any future Javadoc published by your
>>>>> project does not contain the vulnerability. The announcement by
>>>>> Oracle includes a link to a tool that can be used to fix Javadoc without
>> regeneration.
>>>>>
>>>>> The infrastructure team is investigating options for preventing the
>>>>> publication of vulnerable Javadoc.
>>>>>
>>>>> The issue is public and may be discussed freely on your project's dev
list.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Mark (ASF Infra)
>>>>>
>>>>>
>>>>>
>>>>> [1]
>>>>> http://www.oracle.com/technetwork/topics/security/javacpujun2013-
>>>>> 1899847.html
>>>>> [2] http://www.kb.cert.org/vuls/id/225657
>>>>>
>>>>> Project			Instances
>>>>> abdera.apache.org	1
>>>>> accumulo.apache.org	2
>>>>> activemq.apache.org	105
>>>>> any23.apache.org	13
>>>>> archiva.apache.org	4
>>>>> archive.apache.org	13
>>>>> aries.apache.org	7
>>>>> avro.apache.org		23
>>>>> axis.apache.org		5
>>>>> beehive.apache.org	16
>>>>> bval.apache.org		12
>>>>> camel.apache.org	786
>>>>> cayenne.apache.org	4
>>>>> chemistry.apache.org	6
>>>>> click.apache.org	3
>>>>> cocoon.apache.org	6
>>>>> commons.apache.org	34
>>>>> continuum.apache.org	9
>>>>> creadur.apache.org	19
>>>>> crunch.apache.org	4
>>>>> ctakes.apache.org	2
>>>>> curator.apache.org	4
>>>>> cxf.apache.org		6
>>>>> db.apache.org		39
>>>>> directory.apache.org	4
>>>>> empire-db.apache.org	1
>>>>> felix.apache.org	5
>>>>> flume.apache.org	5
>>>>> geronimo.apache.org	241
>>>>> giraph.apache.org	6
>>>>> gora.apache.org		3
>>>>> hadoop.apache.org	21
>>>>> hbase.apache.org	2
>>>>> hive.apache.org		4
>>>>> hivemind.apache.org	10
>>>>> incubator.apache.org	355
>>>>> jackrabbit.apache.org	9
>>>>> jakarta.apache.org	39
>>>>> james.apache.org	53
>>>>> jena.apache.org		5
>>>>> juddi.apache.org	3
>>>>> lenya.apache.org	46
>>>>> logging.apache.org	111
>>>>> lucene.apache.org	713
>>>>> manifoldcf.apache.org	112
>>>>> marmotta.apache.org	1
>>>>> maven.apache.org	1623
>>>>> maventest.apache.org	1178
>>>>> mina.apache.org		2
>>>>> mrunit.apache.org	3
>>>>> myfaces.apache.org	348
>>>>> nutch.apache.org	8
>>>>> oltu.apache.org		11
>>>>> oodt.apache.org		1
>>>>> ooo-site.apache.org	1
>>>>> oozie.apache.org	10
>>>>> openjpa.apache.org	20
>>>>> opennlp.apache.org	9
>>>>> pdfbox.apache.org	1
>>>>> pig.apache.org		7
>>>>> pivot.apache.org	1
>>>>> poi.apache.org		1
>>>>> portals.apache.org	35
>>>>> river.apache.org	2
>>>>> santuario.apache.org	1
>>>>> shale.apache.org	55
>>>>> shiro.apache.org	3
>>>>> sling.apache.org	2
>>>>> sqoop.apache.org	4
>>>>> struts.apache.org	190
>>>>> subversion.apache.org	3
>>>>> synapse.apache.org	1
>>>>> syncope.apache.org	2
>>>>> tapestry.apache.org	6
>>>>> tika.apache.org		9
>>>>> tiles.apache.org	12
>>>>> turbine.apache.org	100
>>>>> tuscany.apache.org	4
>>>>> uima.apache.org		12
>>>>> velocity.apache.org	41
>>>>> whirr.apache.org	2
>>>>> wicket.apache.org	3
>>>>> wink.apache.org		13
>>>>> ws.apache.org		22
>>>>> xalan.apache.org	1
>>>>> xerces.apache.org	5
>>>>> xml.apache.org		1
>>>>> xmlbeans.apache.org	3
>>>>> zookeeper.apache.org	18
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Sergio Fernández
>>>>> Salzburg Research
>>>>> +43 662 2288 318
>>>>> Jakob-Haringer Strasse 5/II
>>>>> A-5020 Salzburg (Austria)
>>>>> http://www.salzburgresearch.at
>>>
>>>
>>
>> --
>> Sergio Fernández
>> Salzburg Research
>> +43 662 2288 318
>> Jakob-Haringer Strasse 5/II
>> A-5020 Salzburg (Austria)
>> http://www.salzburgresearch.at
>

-- 
Sergio Fernández
Salzburg Research
+43 662 2288 318
Jakob-Haringer Strasse 5/II
A-5020 Salzburg (Austria)
http://www.salzburgresearch.at

Mime
View raw message