Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Chukwa >> mail # dev >> Re: [SECURITY] Frame injection vulnerability in published Javadoc


Copy link to this message
-
Re: [SECURITY] Frame injection vulnerability in published Javadoc
CHUKWA-689 is filed to track the progress of the doc generation.
On Sun, Jun 30, 2013 at 10:11 AM, Eric Yang <[EMAIL PROTECTED]> wrote:

> First, we need to get pub sub working for our website publishing.  I filed
> a infrastructure ticket for this:
>
> https://issues.apache.org/jira/browse/INFRA-6480
>
> While this is happening in parallel, we can regenerate:
>
> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.1.2/api
> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.3.0/api
> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.4.0/api
> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.5.0/api
>
> With newer Java.
>
> Last, we also need to update the latest distribution mechanism in pom.xml
> to update svn source tree instead.
>
> I will take care of doc generation later today, if I find the time.
>
> regards,
> Eric
>
>
> On Sun, Jun 30, 2013 at 8:05 AM, Alan Cabrera <[EMAIL PROTECTED]>wrote:
>
>>
>> On Jun 24, 2013, at 8:24 PM, Ariel Rabkin <[EMAIL PROTECTED]> wrote:
>>
>> > I don't understand how serious a problem this is. Do we need to do
>> > anything about this?
>>
>> This comes as a mandate from security so we must, if we are affected by
>> it.
>>
>> > Anybody want to take the lead and re-compile our javadoc?
>>
>> /me looks at his shoes and slowly shuffles backward.
>>
>> Think of this as an opportunity to do another release?  :)
>>
>>
>> Regards,
>> Alan
>>
>> >
>> > --Ari
>> >
>> > ---------- Forwarded message ----------
>> > From: Mark Thomas <[EMAIL PROTECTED]>
>> > Date: Thu, Jun 20, 2013 at 4:29 AM
>> > Subject: [SECURITY] Frame injection vulnerability in published Javadoc
>> > To: [EMAIL PROTECTED]
>> > Cc: [EMAIL PROTECTED]
>> >
>> >
>> > Hi All,
>> >
>> > Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
>> > generated by Java 5, Java 6 and Java 7 before update 22.
>> >
>> > The infrastructure team has completed a scan of our current project
>> > websites and identified over 6000 instances of vulnerable Javadoc
>> > distributed across most TLPs. The chances are the project(s) you
>> > contribute to is(are) affected. A list of projects and the number of
>> > affected Javadoc instances per project is provided at the end of this
>> > e-mail.
>> >
>> > Please take the necessary steps to fix any currently published Javadoc
>> > and to ensure that any future Javadoc published by your project does not
>> > contain the vulnerability. The announcement by Oracle includes a link to
>> > a tool that can be used to fix Javadoc without regeneration.
>> >
>> > The infrastructure team is investigating options for preventing the
>> > publication of vulnerable Javadoc.
>> >
>> > The issue is public and may be discussed freely on your project's dev
>> list.
>> >
>> > Thanks,
>> >
>> > Mark (ASF Infra)
>> >
>> >
>> >
>> > [1]
>> >
>> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
>> > [2] http://www.kb.cert.org/vuls/id/225657
>> >
>> >
>> >
>> >
>> > --
>> > Ari Rabkin [EMAIL PROTECTED]
>> > Princeton Computer Science Department
>>
>>
>