You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by Andy Seaborne <an...@apache.org> on 2013/07/01 10:31:04 UTC
Build upgrades -- was: [SECURITY] Frame injection vulnerability in
published Javadoc
There's a new version of the javadoc plugin (2.9.1) to address the
javadoc security issue so I have updated jena-parent to use it.
At the same time I updated any plugins that didn't seem to be the latest
and also bumped the Apache parent to 13. I only looked in the
jena-parent POM.
Builds with mvn 3.0.4/3.0.5
Andy
On 20/06/13 11:34, Andy Seaborne wrote:
> Done.
>
> The 5 files were each of the index.html at the top of each javadoc tree
> was patched.
>
> A side-effect of republishing the site is that jena-text is now on the
> main site and LARQ isn't.
>
> Andy
>
> -------- Original Message --------
> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> Date: Thu, 20 Jun 2013 09:29:23 +0100
> From: Mark Thomas <ma...@apache.org>
> Reply-To: infrastructure@apache.org <in...@apache.org>
> To: committers@apache.org
> CC: root@apache.org
>
> Hi All,
>
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
>
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc
> distributed across most TLPs. The chances are the project(s) you
> contribute to is(are) affected. A list of projects and the number of
> affected Javadoc instances per project is provided at the end of this
> e-mail.
>
> Please take the necessary steps to fix any currently published Javadoc
> and to ensure that any future Javadoc published by your project does not
> contain the vulnerability. The announcement by Oracle includes a link to
> a tool that can be used to fix Javadoc without regeneration.
>
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
>
> The issue is public and may be discussed freely on your project's dev list.
>
> Thanks,
>
> Mark (ASF Infra)
>
>
>
> [1]
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
>
> [2] http://www.kb.cert.org/vuls/id/225657
>
> Project Instances
> ...
> jena.apache.org 5
> ...