Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
Chukwa, mail # dev - Re: [SECURITY] Frame injection vulnerability in published Javadoc


Copy link to this message
-
Re: [SECURITY] Frame injection vulnerability in published Javadoc
Alan Cabrera 2013-06-30, 15:05

On Jun 24, 2013, at 8:24 PM, Ariel Rabkin <[EMAIL PROTECTED]> wrote:

> I don't understand how serious a problem this is. Do we need to do
> anything about this?

This comes as a mandate from security so we must, if we are affected by it.

> Anybody want to take the lead and re-compile our javadoc?

/me looks at his shoes and slowly shuffles backward.

Think of this as an opportunity to do another release?  :)
Regards,
Alan

>
> --Ari
>
> ---------- Forwarded message ----------
> From: Mark Thomas <[EMAIL PROTECTED]>
> Date: Thu, Jun 20, 2013 at 4:29 AM
> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
>
>
> Hi All,
>
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
>
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc
> distributed across most TLPs. The chances are the project(s) you
> contribute to is(are) affected. A list of projects and the number of
> affected Javadoc instances per project is provided at the end of this
> e-mail.
>
> Please take the necessary steps to fix any currently published Javadoc
> and to ensure that any future Javadoc published by your project does not
> contain the vulnerability. The announcement by Oracle includes a link to
> a tool that can be used to fix Javadoc without regeneration.
>
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
>
> The issue is public and may be discussed freely on your project's dev list.
>
> Thanks,
>
> Mark (ASF Infra)
>
>
>
> [1]
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
> [2] http://www.kb.cert.org/vuls/id/225657
>
>
>
>
> --
> Ari Rabkin [EMAIL PROTECTED]
> Princeton Computer Science Department
+
Eric Yang 2013-06-30, 17:11
+
Eric Yang 2013-06-30, 20:29
+
Alan D. Cabrera 2013-07-04, 21:45