You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by Andy Seaborne <an...@apache.org> on 2013/06/20 12:34:53 UTC
Fwd: [SECURITY] Frame injection vulnerability in published Javadoc
Done.
The 5 files were each of the index.html at the top of each javadoc tree
was patched.
A side-effect of republishing the site is that jena-text is now on the
main site and LARQ isn't.
Andy
-------- Original Message --------
Subject: [SECURITY] Frame injection vulnerability in published Javadoc
Date: Thu, 20 Jun 2013 09:29:23 +0100
From: Mark Thomas <ma...@apache.org>
Reply-To: infrastructure@apache.org <in...@apache.org>
To: committers@apache.org
CC: root@apache.org
Hi All,
Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
generated by Java 5, Java 6 and Java 7 before update 22.
The infrastructure team has completed a scan of our current project
websites and identified over 6000 instances of vulnerable Javadoc
distributed across most TLPs. The chances are the project(s) you
contribute to is(are) affected. A list of projects and the number of
affected Javadoc instances per project is provided at the end of this
e-mail.
Please take the necessary steps to fix any currently published Javadoc
and to ensure that any future Javadoc published by your project does not
contain the vulnerability. The announcement by Oracle includes a link to
a tool that can be used to fix Javadoc without regeneration.
The infrastructure team is investigating options for preventing the
publication of vulnerable Javadoc.
The issue is public and may be discussed freely on your project's dev list.
Thanks,
Mark (ASF Infra)
[1]
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
[2] http://www.kb.cert.org/vuls/id/225657
Project Instances
...
jena.apache.org 5
...
Build upgrades -- was: [SECURITY] Frame injection vulnerability in
published Javadoc
Posted by Andy Seaborne <an...@apache.org>.
There's a new version of the javadoc plugin (2.9.1) to address the
javadoc security issue so I have updated jena-parent to use it.
At the same time I updated any plugins that didn't seem to be the latest
and also bumped the Apache parent to 13. I only looked in the
jena-parent POM.
Builds with mvn 3.0.4/3.0.5
Andy
On 20/06/13 11:34, Andy Seaborne wrote:
> Done.
>
> The 5 files were each of the index.html at the top of each javadoc tree
> was patched.
>
> A side-effect of republishing the site is that jena-text is now on the
> main site and LARQ isn't.
>
> Andy
>
> -------- Original Message --------
> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> Date: Thu, 20 Jun 2013 09:29:23 +0100
> From: Mark Thomas <ma...@apache.org>
> Reply-To: infrastructure@apache.org <in...@apache.org>
> To: committers@apache.org
> CC: root@apache.org
>
> Hi All,
>
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
>
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc
> distributed across most TLPs. The chances are the project(s) you
> contribute to is(are) affected. A list of projects and the number of
> affected Javadoc instances per project is provided at the end of this
> e-mail.
>
> Please take the necessary steps to fix any currently published Javadoc
> and to ensure that any future Javadoc published by your project does not
> contain the vulnerability. The announcement by Oracle includes a link to
> a tool that can be used to fix Javadoc without regeneration.
>
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
>
> The issue is public and may be discussed freely on your project's dev list.
>
> Thanks,
>
> Mark (ASF Infra)
>
>
>
> [1]
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
>
> [2] http://www.kb.cert.org/vuls/id/225657
>
> Project Instances
> ...
> jena.apache.org 5
> ...