Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Chukwa >> mail # dev >> Fwd: [SECURITY] Frame injection vulnerability in published Javadoc


Copy link to this message
-
Fwd: [SECURITY] Frame injection vulnerability in published Javadoc
I don't understand how serious a problem this is. Do we need to do
anything about this?
Anybody want to take the lead and re-compile our javadoc?

--Ari

---------- Forwarded message ----------
From: Mark Thomas <[EMAIL PROTECTED]>
Date: Thu, Jun 20, 2013 at 4:29 AM
Subject: [SECURITY] Frame injection vulnerability in published Javadoc
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Hi All,

Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
generated by Java 5, Java 6 and Java 7 before update 22.

The infrastructure team has completed a scan of our current project
websites and identified over 6000 instances of vulnerable Javadoc
distributed across most TLPs. The chances are the project(s) you
contribute to is(are) affected. A list of projects and the number of
affected Javadoc instances per project is provided at the end of this
e-mail.

Please take the necessary steps to fix any currently published Javadoc
and to ensure that any future Javadoc published by your project does not
contain the vulnerability. The announcement by Oracle includes a link to
a tool that can be used to fix Javadoc without regeneration.

The infrastructure team is investigating options for preventing the
publication of vulnerable Javadoc.

The issue is public and may be discussed freely on your project's dev list.

Thanks,

Mark (ASF Infra)

[1]
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
[2] http://www.kb.cert.org/vuls/id/225657
--
Ari Rabkin [EMAIL PROTECTED]
Princeton Computer Science Department