FPJ 2013-10-25, 12:23
Hi Flavio. You'll need to keep this in mind (sent out by infra in
June, I addressed it at the time on our existing site) when generating
the release. It needs to be incorporated into our release process
documentation (would be great if you could add it to the wiki)
> Oracle has announced ,  a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc
> distributed across most TLPs. The chances are the project(s) you
> contribute to is(are) affected. A list of projects and the number of
> affected Javadoc instances per project is provided at the end of this
> Please take the necessary steps to fix any currently published Javadoc
> and to ensure that any future Javadoc published by your project does not
> contain the vulnerability. The announcement by Oracle includes a link to
> a tool that can be used to fix Javadoc without regeneration.
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
> The issue is public and may be discussed freely on your project's dev list.
>  http://www.kb.cert.org/vuls/id/225657
On Fri, Oct 25, 2013 at 5:23 AM, FPJ <[EMAIL PROTECTED]> wrote:
> We are down to two blockers: one is about publishing artifacts and the other
> I'm not sure it is an issue (1554). In fact, I would really appreciate if I
> could get some feedback on ZOOKEEPER-1554.
> Next I want to make sure that a few of the patches related to compiling on
> Windows and Mac OS are in, and we could perhaps consider the critical ones.
> If nothing comes up, I was thinking about cutting the first release
> candidate in about 2 weeks time.