Looks like both the Xerces and Xalan websites are affected. Oracle has made a tool available for repairing the Javadoc. We'll need to fix this.

---------- Forwarded message ----------
From: Mark Thomas <markt@apache.org>
Date: Thu, Jun 20, 2013 at 4:29 AM
Subject: [SECURITY] Frame injection vulnerability in published Javadoc
To: committers@apache.org
Cc: root@apache.org


Hi All,

Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
generated by Java 5, Java 6 and Java 7 before update 22.

The infrastructure team has completed a scan of our current project
websites and identified over 6000 instances of vulnerable Javadoc
distributed across most TLPs. The chances are the project(s) you
contribute to is(are) affected. A list of projects and the number of
affected Javadoc instances per project is provided at the end of this
e-mail.

Please take the necessary steps to fix any currently published Javadoc
and to ensure that any future Javadoc published by your project does not
contain the vulnerability. The announcement by Oracle includes a link to
a tool that can be used to fix Javadoc without regeneration.

The infrastructure team is investigating options for preventing the
publication of vulnerable Javadoc.

The issue is public and may be discussed freely on your project's dev list.

Thanks,

Mark (ASF Infra)



[1]
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
[2] http://www.kb.cert.org/vuls/id/225657

Project                 Instances
abdera.apache.org       1
accumulo.apache.org     2
activemq.apache.org     105
any23.apache.org        13
archiva.apache.org      4
archive.apache.org      13
aries.apache.org        7
avro.apache.org         23
axis.apache.org         5
beehive.apache.org      16
bval.apache.org         12
camel.apache.org        786
cayenne.apache.org      4
chemistry.apache.org    6
click.apache.org        3
cocoon.apache.org       6
commons.apache.org      34
continuum.apache.org    9
creadur.apache.org      19
crunch.apache.org       4
ctakes.apache.org       2
curator.apache.org      4
cxf.apache.org          6
db.apache.org           39
directory.apache.org    4
empire-db.apache.org    1
felix.apache.org        5
flume.apache.org        5
geronimo.apache.org     241
giraph.apache.org       6
gora.apache.org         3
hadoop.apache.org       21
hbase.apache.org        2
hive.apache.org         4
hivemind.apache.org     10
incubator.apache.org    355
jackrabbit.apache.org   9
jakarta.apache.org      39
james.apache.org        53
jena.apache.org         5
juddi.apache.org        3
lenya.apache.org        46
logging.apache.org      111
lucene.apache.org       713
manifoldcf.apache.org   112
marmotta.apache.org     1
maven.apache.org        1623
maventest.apache.org    1178
mina.apache.org         2
mrunit.apache.org       3
myfaces.apache.org      348
nutch.apache.org        8
oltu.apache.org         11
oodt.apache.org         1
ooo-site.apache.org     1
oozie.apache.org        10
openjpa.apache.org      20
opennlp.apache.org      9
pdfbox.apache.org       1
pig.apache.org          7
pivot.apache.org        1
poi.apache.org          1
portals.apache.org      35
river.apache.org        2
santuario.apache.org    1
shale.apache.org        55
shiro.apache.org        3
sling.apache.org        2
sqoop.apache.org        4
struts.apache.org       190
subversion.apache.org   3
synapse.apache.org      1
syncope.apache.org      2
tapestry.apache.org     6
tika.apache.org         9
tiles.apache.org        12
turbine.apache.org      100
tuscany.apache.org      4
uima.apache.org         12
velocity.apache.org     41
whirr.apache.org        2
wicket.apache.org       3
wink.apache.org         13
ws.apache.org           22
xalan.apache.org        1
xerces.apache.org       5
xml.apache.org          1
xmlbeans.apache.org     3
zookeeper.apache.org    18