You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jena.apache.org by Andy Seaborne <an...@apache.org> on 2013/07/01 10:31:04 UTC

Build upgrades -- was: [SECURITY] Frame injection vulnerability in published Javadoc

There's a new version of the javadoc plugin (2.9.1) to address the 
javadoc security issue so I have updated jena-parent to use it.

At the same time I updated any plugins that didn't seem to be the latest 
and also bumped the Apache parent to 13.  I only looked in the 
jena-parent POM.

Builds with mvn 3.0.4/3.0.5

	Andy


On 20/06/13 11:34, Andy Seaborne wrote:
> Done.
>
> The 5 files were each of the index.html at the top of each javadoc tree
> was patched.
>
> A side-effect of republishing the site is that jena-text is now on the
> main site and LARQ isn't.
>
>      Andy
>
> -------- Original Message --------
> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> Date: Thu, 20 Jun 2013 09:29:23 +0100
> From: Mark Thomas <ma...@apache.org>
> Reply-To: infrastructure@apache.org <in...@apache.org>
> To: committers@apache.org
> CC: root@apache.org
>
> Hi All,
>
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
>
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc
> distributed across most TLPs. The chances are the project(s) you
> contribute to is(are) affected. A list of projects and the number of
> affected Javadoc instances per project is provided at the end of this
> e-mail.
>
> Please take the necessary steps to fix any currently published Javadoc
> and to ensure that any future Javadoc published by your project does not
> contain the vulnerability. The announcement by Oracle includes a link to
> a tool that can be used to fix Javadoc without regeneration.
>
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
>
> The issue is public and may be discussed freely on your project's dev list.
>
> Thanks,
>
> Mark (ASF Infra)
>
>
>
> [1]
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
>
> [2] http://www.kb.cert.org/vuls/id/225657
>
> Project            Instances
> ...
> jena.apache.org        5
> ...