Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Chukwa, mail # dev - Re: [SECURITY] Frame injection vulnerability in published Javadoc


Copy link to this message
-
Re: [SECURITY] Frame injection vulnerability in published Javadoc
Eric Yang 2013-06-30, 17:11
First, we need to get pub sub working for our website publishing.  I filed
a infrastructure ticket for this:

https://issues.apache.org/jira/browse/INFRA-6480

While this is happening in parallel, we can regenerate:

https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.1.2/api
https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.3.0/api
https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.4.0/api
https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.5.0/api

With newer Java.

Last, we also need to update the latest distribution mechanism in pom.xml
to update svn source tree instead.

I will take care of doc generation later today, if I find the time.

regards,
Eric
On Sun, Jun 30, 2013 at 8:05 AM, Alan Cabrera <[EMAIL PROTECTED]> wrote:

>
> On Jun 24, 2013, at 8:24 PM, Ariel Rabkin <[EMAIL PROTECTED]> wrote:
>
> > I don't understand how serious a problem this is. Do we need to do
> > anything about this?
>
> This comes as a mandate from security so we must, if we are affected by it.
>
> > Anybody want to take the lead and re-compile our javadoc?
>
> /me looks at his shoes and slowly shuffles backward.
>
> Think of this as an opportunity to do another release?  :)
>
>
> Regards,
> Alan
>
> >
> > --Ari
> >
> > ---------- Forwarded message ----------
> > From: Mark Thomas <[EMAIL PROTECTED]>
> > Date: Thu, Jun 20, 2013 at 4:29 AM
> > Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> > To: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> >
> >
> > Hi All,
> >
> > Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> > generated by Java 5, Java 6 and Java 7 before update 22.
> >
> > The infrastructure team has completed a scan of our current project
> > websites and identified over 6000 instances of vulnerable Javadoc
> > distributed across most TLPs. The chances are the project(s) you
> > contribute to is(are) affected. A list of projects and the number of
> > affected Javadoc instances per project is provided at the end of this
> > e-mail.
> >
> > Please take the necessary steps to fix any currently published Javadoc
> > and to ensure that any future Javadoc published by your project does not
> > contain the vulnerability. The announcement by Oracle includes a link to
> > a tool that can be used to fix Javadoc without regeneration.
> >
> > The infrastructure team is investigating options for preventing the
> > publication of vulnerable Javadoc.
> >
> > The issue is public and may be discussed freely on your project's dev
> list.
> >
> > Thanks,
> >
> > Mark (ASF Infra)
> >
> >
> >
> > [1]
> >
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
> > [2] http://www.kb.cert.org/vuls/id/225657
> >
> >
> >
> >
> > --
> > Ari Rabkin [EMAIL PROTECTED]
> > Princeton Computer Science Department
>
>