You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oodt.apache.org by ke...@apache.org on 2013/06/20 15:18:03 UTC
Fwd: [SECURITY] Frame injection vulnerability in published Javadoc
See the forwarded message below. Yuck.
I used the patching tool mentioned to fix OODT's Javadocs online at http://oodt.apache.org/
Whoever cuts the next OODT website MUST use Java 1.7.0_23 or higher.
--k
Begin forwarded message:
> From: Mark Thomas <ma...@apache.org>
> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> Date: 2013 June 20 3.29.23a CDT
> To: committers@apache.org
> Cc: root@apache.org
> Reply-To: "infrastructure@apache.org" <in...@apache.org>
>
> Hi All,
>
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
>
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc
> distributed across most TLPs. The chances are the project(s) you
> contribute to is(are) affected. A list of projects and the number of
> affected Javadoc instances per project is provided at the end of this
> e-mail.
>
> Please take the necessary steps to fix any currently published Javadoc
> and to ensure that any future Javadoc published by your project does not
> contain the vulnerability. The announcement by Oracle includes a link to
> a tool that can be used to fix Javadoc without regeneration.
>
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
>
> The issue is public and may be discussed freely on your project's dev list.
>
> Thanks,
>
> Mark (ASF Infra)
>
>
>
> [1]
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
> [2] http://www.kb.cert.org/vuls/id/225657
>
> Project Instances
> abdera.apache.org 1
> accumulo.apache.org 2
> activemq.apache.org 105
> any23.apache.org 13
> archiva.apache.org 4
> archive.apache.org 13
> aries.apache.org 7
> avro.apache.org 23
> axis.apache.org 5
> beehive.apache.org 16
> bval.apache.org 12
> camel.apache.org 786
> cayenne.apache.org 4
> chemistry.apache.org 6
> click.apache.org 3
> cocoon.apache.org 6
> commons.apache.org 34
> continuum.apache.org 9
> creadur.apache.org 19
> crunch.apache.org 4
> ctakes.apache.org 2
> curator.apache.org 4
> cxf.apache.org 6
> db.apache.org 39
> directory.apache.org 4
> empire-db.apache.org 1
> felix.apache.org 5
> flume.apache.org 5
> geronimo.apache.org 241
> giraph.apache.org 6
> gora.apache.org 3
> hadoop.apache.org 21
> hbase.apache.org 2
> hive.apache.org 4
> hivemind.apache.org 10
> incubator.apache.org 355
> jackrabbit.apache.org 9
> jakarta.apache.org 39
> james.apache.org 53
> jena.apache.org 5
> juddi.apache.org 3
> lenya.apache.org 46
> logging.apache.org 111
> lucene.apache.org 713
> manifoldcf.apache.org 112
> marmotta.apache.org 1
> maven.apache.org 1623
> maventest.apache.org 1178
> mina.apache.org 2
> mrunit.apache.org 3
> myfaces.apache.org 348
> nutch.apache.org 8
> oltu.apache.org 11
> oodt.apache.org 1
> ooo-site.apache.org 1
> oozie.apache.org 10
> openjpa.apache.org 20
> opennlp.apache.org 9
> pdfbox.apache.org 1
> pig.apache.org 7
> pivot.apache.org 1
> poi.apache.org 1
> portals.apache.org 35
> river.apache.org 2
> santuario.apache.org 1
> shale.apache.org 55
> shiro.apache.org 3
> sling.apache.org 2
> sqoop.apache.org 4
> struts.apache.org 190
> subversion.apache.org 3
> synapse.apache.org 1
> syncope.apache.org 2
> tapestry.apache.org 6
> tika.apache.org 9
> tiles.apache.org 12
> turbine.apache.org 100
> tuscany.apache.org 4
> uima.apache.org 12
> velocity.apache.org 41
> whirr.apache.org 2
> wicket.apache.org 3
> wink.apache.org 13
> ws.apache.org 22
> xalan.apache.org 1
> xerces.apache.org 5
> xml.apache.org 1
> xmlbeans.apache.org 3
> zookeeper.apache.org 18
>
>
Re: [SECURITY] Frame injection vulnerability in published Javadoc
Posted by "Mattmann, Chris A (398J)" <ch...@jpl.nasa.gov>.
Thanks Sean -- got it.
Cheers,
Chris
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Chris Mattmann, Ph.D.
Senior Computer Scientist
NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA
Office: 171-266B, Mailstop: 171-246
Email: chris.a.mattmann@nasa.gov
WWW: http://sunset.usc.edu/~mattmann/
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Adjunct Assistant Professor, Computer Science Department
University of Southern California, Los Angeles, CA 90089 USA
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----Original Message-----
From: "kelly@apache.org" <ke...@apache.org>
Reply-To: "dev@oodt.apache.org" <de...@oodt.apache.org>
Date: Thursday, June 20, 2013 6:18 AM
To: "dev@oodt.apache.org" <de...@oodt.apache.org>
Subject: Fwd: [SECURITY] Frame injection vulnerability in published Javadoc
>See the forwarded message below. Yuck.
>
>I used the patching tool mentioned to fix OODT's Javadocs online at
>http://oodt.apache.org/
>
>Whoever cuts the next OODT website MUST use Java 1.7.0_23 or higher.
>
>--k
>
>Begin forwarded message:
>
>> From: Mark Thomas <ma...@apache.org>
>> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
>> Date: 2013 June 20 3.29.23a CDT
>> To: committers@apache.org
>> Cc: root@apache.org
>> Reply-To: "infrastructure@apache.org" <in...@apache.org>
>>
>> Hi All,
>>
>> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
>> generated by Java 5, Java 6 and Java 7 before update 22.
>>
>> The infrastructure team has completed a scan of our current project
>> websites and identified over 6000 instances of vulnerable Javadoc
>> distributed across most TLPs. The chances are the project(s) you
>> contribute to is(are) affected. A list of projects and the number of
>> affected Javadoc instances per project is provided at the end of this
>> e-mail.
>>
>> Please take the necessary steps to fix any currently published Javadoc
>> and to ensure that any future Javadoc published by your project does not
>> contain the vulnerability. The announcement by Oracle includes a link to
>> a tool that can be used to fix Javadoc without regeneration.
>>
>> The infrastructure team is investigating options for preventing the
>> publication of vulnerable Javadoc.
>>
>> The issue is public and may be discussed freely on your project's dev
>>list.
>>
>> Thanks,
>>
>> Mark (ASF Infra)
>>
>>
>>
>> [1]
>>
>>http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.
>>html
>> [2] http://www.kb.cert.org/vuls/id/225657
>>
>> Project Instances
>> abdera.apache.org 1
>> accumulo.apache.org 2
>> activemq.apache.org 105
>> any23.apache.org 13
>> archiva.apache.org 4
>> archive.apache.org 13
>> aries.apache.org 7
>> avro.apache.org 23
>> axis.apache.org 5
>> beehive.apache.org 16
>> bval.apache.org 12
>> camel.apache.org 786
>> cayenne.apache.org 4
>> chemistry.apache.org 6
>> click.apache.org 3
>> cocoon.apache.org 6
>> commons.apache.org 34
>> continuum.apache.org 9
>> creadur.apache.org 19
>> crunch.apache.org 4
>> ctakes.apache.org 2
>> curator.apache.org 4
>> cxf.apache.org 6
>> db.apache.org 39
>> directory.apache.org 4
>> empire-db.apache.org 1
>> felix.apache.org 5
>> flume.apache.org 5
>> geronimo.apache.org 241
>> giraph.apache.org 6
>> gora.apache.org 3
>> hadoop.apache.org 21
>> hbase.apache.org 2
>> hive.apache.org 4
>> hivemind.apache.org 10
>> incubator.apache.org 355
>> jackrabbit.apache.org 9
>> jakarta.apache.org 39
>> james.apache.org 53
>> jena.apache.org 5
>> juddi.apache.org 3
>> lenya.apache.org 46
>> logging.apache.org 111
>> lucene.apache.org 713
>> manifoldcf.apache.org 112
>> marmotta.apache.org 1
>> maven.apache.org 1623
>> maventest.apache.org 1178
>> mina.apache.org 2
>> mrunit.apache.org 3
>> myfaces.apache.org 348
>> nutch.apache.org 8
>> oltu.apache.org 11
>> oodt.apache.org 1
>> ooo-site.apache.org 1
>> oozie.apache.org 10
>> openjpa.apache.org 20
>> opennlp.apache.org 9
>> pdfbox.apache.org 1
>> pig.apache.org 7
>> pivot.apache.org 1
>> poi.apache.org 1
>> portals.apache.org 35
>> river.apache.org 2
>> santuario.apache.org 1
>> shale.apache.org 55
>> shiro.apache.org 3
>> sling.apache.org 2
>> sqoop.apache.org 4
>> struts.apache.org 190
>> subversion.apache.org 3
>> synapse.apache.org 1
>> syncope.apache.org 2
>> tapestry.apache.org 6
>> tika.apache.org 9
>> tiles.apache.org 12
>> turbine.apache.org 100
>> tuscany.apache.org 4
>> uima.apache.org 12
>> velocity.apache.org 41
>> whirr.apache.org 2
>> wicket.apache.org 3
>> wink.apache.org 13
>> ws.apache.org 22
>> xalan.apache.org 1
>> xerces.apache.org 5
>> xml.apache.org 1
>> xmlbeans.apache.org 3
>> zookeeper.apache.org 18
>>
>>
>