You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@nutch.apache.org by "Julien Nioche (JIRA)" <ji...@apache.org> on 2014/06/17 13:26:01 UTC

[jira] [Commented] (NUTCH-1590) [SECURITY] Frame injection vulnerability in published Javadoc

    [ https://issues.apache.org/jira/browse/NUTCH-1590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14033670#comment-14033670 ] 

Julien Nioche commented on NUTCH-1590:
--------------------------------------

Ok how do we deal with this one? Would it imply that we check the Java version for the Javadoc task and fail the process if the version used does not contain the fix?

> [SECURITY] Frame injection vulnerability in published Javadoc
> -------------------------------------------------------------
>
>                 Key: NUTCH-1590
>                 URL: https://issues.apache.org/jira/browse/NUTCH-1590
>             Project: Nutch
>          Issue Type: New Feature
>          Components: documentation
>    Affects Versions: 1.7, 2.2
>            Reporter: Lewis John McGibbney
>            Priority: Blocker
>             Fix For: 1.9
>
>
> Hi All,
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc
> distributed across most TLPs. The chances are the project(s) you
> contribute to is(are) affected. A list of projects and the number of
> affected Javadoc instances per project is provided at the end of this
> e-mail.
> Please take the necessary steps to fix any currently published Javadoc
> and to ensure that any future Javadoc published by your project does not
> contain the vulnerability. The announcement by Oracle includes a link to
> a tool that can be used to fix Javadoc without regeneration.
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
> The issue is public and may be discussed freely on your project's dev list.
> [1]
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
> [2] http://www.kb.cert.org/vuls/id/225657
> nutch.apache.org        8



--
This message was sent by Atlassian JIRA
(v6.2#6252)