You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cayenne.apache.org by Mike Kienenberger <mk...@gmail.com> on 2013/07/09 15:12:09 UTC

javadoc security flaw

> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <ar...@maniatis.org> wrote:
>> Did we change the javadoc build process to avoid the javadoc security flaw recently discovered? I patched the website javadocs, but I'm not sure if we also have to change something in our maven build process or upgrade some plugin.

On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <an...@objectstyle.org> wrote:
> Me neither. Probably some research is in order. Should we take this to a separate thread?

Maybe you can copy what some other project has done.

I saw a notice about it for tomcat but I believe it is built with ant.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55119

That notice pointed to Lucene, but it says it was built with ivy.

https://issues.apache.org/jira/browse/LUCENE-5072

So I didn't find a pointer to a maven-based fix.

Re: javadoc security flaw

Posted by Mike Kienenberger <mk...@gmail.com>.

Maybe we can compare index / toc files before and after and see if
there's something obviously different:

index.htm
index.html
toc.htm
toc.html



On Tue, Jul 9, 2013 at 4:58 PM, Mike Kienenberger <mk...@gmail.com> wrote:
> I wasn't able to quickly determine how to detect or exploit this by
> reviewing the recent security advisories about the issue.   Maybe
> someone else will have more time or better luck spotting the wanted
> info.
>
> http://www.kb.cert.org/vuls/id/225657
>
> http://xforce.iss.net/xforce/xfdb/84715
>
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
>
>
> On Tue, Jul 9, 2013 at 4:23 PM, Andrus Adamchik <an...@objectstyle.org> wrote:
>> Mike, thanks for the research. Just committed javadoc plugin upgrade to all active branches (CAY-1845). I hope we are all set. (wonder if this can be verified by checking the generated javadocs somehow?)
>>
>> Andrus
>>
>> On Jul 9, 2013, at 4:20 PM, Mike Kienenberger <mk...@gmail.com> wrote:
>>
>>> LUCENE's issue stated in the comments that the Oracle tool shouldn't
>>> be used (apparently it can be integrated with maven).   It also stated
>>> that there was a simple way to duplicate the functionality using
>>> maven, but I didn't immediately see what that was:
>>>
>>> Here's the thread it had on that:
>>>
>>> https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185
>>>
>>> This seems to point to https://issues.apache.org/jira/browse/MPOM-46
>>> as one solution later on in the comments
>>>
>>> Which seems to be a matter of updating the maven-javadoc-plugin
>>> version from 2.9 to 2.9.1.   Maybe that's all we need as well?   If
>>> not, I'm guessing you could diff the changes between versions 2.9 to
>>> 2.9.1 and find the solution in a maven environment?
>>>
>>> http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692
>>>
>>> --- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691
>>> +++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692
>>> @@ -184,7 +184,7 @@
>>>         <plugin>
>>>           <groupId>org.apache.maven.plugins</groupId>
>>>           <artifactId>maven-javadoc-plugin</artifactId>
>>> -          <version>2.9</version>
>>> +          <version>2.9.1</version>
>>>         </plugin>
>>>
>>> On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <mk...@gmail.com> wrote:
>>>>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <ar...@maniatis.org> wrote:
>>>>>> Did we change the javadoc build process to avoid the javadoc security flaw recently discovered? I patched the website javadocs, but I'm not sure if we also have to change something in our maven build process or upgrade some plugin.
>>>>
>>>> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <an...@objectstyle.org> wrote:
>>>>> Me neither. Probably some research is in order. Should we take this to a separate thread?
>>>>
>>>> Maybe you can copy what some other project has done.
>>>>
>>>> I saw a notice about it for tomcat but I believe it is built with ant.
>>>>
>>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
>>>>
>>>> That notice pointed to Lucene, but it says it was built with ivy.
>>>>
>>>> https://issues.apache.org/jira/browse/LUCENE-5072
>>>>
>>>> So I didn't find a pointer to a maven-based fix.
>>>
>>

Re: javadoc security flaw

Posted by Richard Frovarp <rf...@apache.org>.

On 07/09/2013 03:58 PM, Mike Kienenberger wrote:
> I wasn't able to quickly determine how to detect or exploit this by
> reviewing the recent security advisories about the issue.   Maybe
> someone else will have more time or better luck spotting the wanted
> info.
>
> http://www.kb.cert.org/vuls/id/225657
>
> http://xforce.iss.net/xforce/xfdb/84715
>
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
>

They released a tool that can be ran to check the Javadoc:

http://www.oracle.com/technetwork/java/javase/downloads/java-doc-updater-tool-1955731.html

That will fix the Javadoc, but it also can be used in a checking mode.

There is an issue under Legal's JIRA to determine if the tool could be 
used automatically as part of a build or not. I'm not sure of the issue 
number, or their determination.

Re: javadoc security flaw

Posted by Mike Kienenberger <mk...@gmail.com>.

I wasn't able to quickly determine how to detect or exploit this by
reviewing the recent security advisories about the issue.   Maybe
someone else will have more time or better luck spotting the wanted
info.

http://www.kb.cert.org/vuls/id/225657

http://xforce.iss.net/xforce/xfdb/84715

http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html


On Tue, Jul 9, 2013 at 4:23 PM, Andrus Adamchik <an...@objectstyle.org> wrote:
> Mike, thanks for the research. Just committed javadoc plugin upgrade to all active branches (CAY-1845). I hope we are all set. (wonder if this can be verified by checking the generated javadocs somehow?)
>
> Andrus
>
> On Jul 9, 2013, at 4:20 PM, Mike Kienenberger <mk...@gmail.com> wrote:
>
>> LUCENE's issue stated in the comments that the Oracle tool shouldn't
>> be used (apparently it can be integrated with maven).   It also stated
>> that there was a simple way to duplicate the functionality using
>> maven, but I didn't immediately see what that was:
>>
>> Here's the thread it had on that:
>>
>> https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185
>>
>> This seems to point to https://issues.apache.org/jira/browse/MPOM-46
>> as one solution later on in the comments
>>
>> Which seems to be a matter of updating the maven-javadoc-plugin
>> version from 2.9 to 2.9.1.   Maybe that's all we need as well?   If
>> not, I'm guessing you could diff the changes between versions 2.9 to
>> 2.9.1 and find the solution in a maven environment?
>>
>> http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692
>>
>> --- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691
>> +++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692
>> @@ -184,7 +184,7 @@
>>         <plugin>
>>           <groupId>org.apache.maven.plugins</groupId>
>>           <artifactId>maven-javadoc-plugin</artifactId>
>> -          <version>2.9</version>
>> +          <version>2.9.1</version>
>>         </plugin>
>>
>> On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <mk...@gmail.com> wrote:
>>>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <ar...@maniatis.org> wrote:
>>>>> Did we change the javadoc build process to avoid the javadoc security flaw recently discovered? I patched the website javadocs, but I'm not sure if we also have to change something in our maven build process or upgrade some plugin.
>>>
>>> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <an...@objectstyle.org> wrote:
>>>> Me neither. Probably some research is in order. Should we take this to a separate thread?
>>>
>>> Maybe you can copy what some other project has done.
>>>
>>> I saw a notice about it for tomcat but I believe it is built with ant.
>>>
>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
>>>
>>> That notice pointed to Lucene, but it says it was built with ivy.
>>>
>>> https://issues.apache.org/jira/browse/LUCENE-5072
>>>
>>> So I didn't find a pointer to a maven-based fix.
>>
>

Re: javadoc security flaw

Posted by Andrus Adamchik <an...@objectstyle.org>.

Mike, thanks for the research. Just committed javadoc plugin upgrade to all active branches (CAY-1845). I hope we are all set. (wonder if this can be verified by checking the generated javadocs somehow?)

Andrus

On Jul 9, 2013, at 4:20 PM, Mike Kienenberger <mk...@gmail.com> wrote:

> LUCENE's issue stated in the comments that the Oracle tool shouldn't
> be used (apparently it can be integrated with maven).   It also stated
> that there was a simple way to duplicate the functionality using
> maven, but I didn't immediately see what that was:
> 
> Here's the thread it had on that:
> 
> https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185
> 
> This seems to point to https://issues.apache.org/jira/browse/MPOM-46
> as one solution later on in the comments
> 
> Which seems to be a matter of updating the maven-javadoc-plugin
> version from 2.9 to 2.9.1.   Maybe that's all we need as well?   If
> not, I'm guessing you could diff the changes between versions 2.9 to
> 2.9.1 and find the solution in a maven environment?
> 
> http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692
> 
> --- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691
> +++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692
> @@ -184,7 +184,7 @@
>         <plugin>
>           <groupId>org.apache.maven.plugins</groupId>
>           <artifactId>maven-javadoc-plugin</artifactId>
> -          <version>2.9</version>
> +          <version>2.9.1</version>
>         </plugin>
> 
> On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <mk...@gmail.com> wrote:
>>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <ar...@maniatis.org> wrote:
>>>> Did we change the javadoc build process to avoid the javadoc security flaw recently discovered? I patched the website javadocs, but I'm not sure if we also have to change something in our maven build process or upgrade some plugin.
>> 
>> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <an...@objectstyle.org> wrote:
>>> Me neither. Probably some research is in order. Should we take this to a separate thread?
>> 
>> Maybe you can copy what some other project has done.
>> 
>> I saw a notice about it for tomcat but I believe it is built with ant.
>> 
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
>> 
>> That notice pointed to Lucene, but it says it was built with ivy.
>> 
>> https://issues.apache.org/jira/browse/LUCENE-5072
>> 
>> So I didn't find a pointer to a maven-based fix.
>

Re: javadoc security flaw

Posted by Mike Kienenberger <mk...@gmail.com>.

LUCENE's issue stated in the comments that the Oracle tool shouldn't
be used (apparently it can be integrated with maven).   It also stated
that there was a simple way to duplicate the functionality using
maven, but I didn't immediately see what that was:

Here's the thread it had on that:

https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185

This seems to point to https://issues.apache.org/jira/browse/MPOM-46
as one solution later on in the comments

Which seems to be a matter of updating the maven-javadoc-plugin
version from 2.9 to 2.9.1.   Maybe that's all we need as well?   If
not, I'm guessing you could diff the changes between versions 2.9 to
2.9.1 and find the solution in a maven environment?

http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692

--- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691
+++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692
@@ -184,7 +184,7 @@
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-javadoc-plugin</artifactId>
-          <version>2.9</version>
+          <version>2.9.1</version>
         </plugin>

On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <mk...@gmail.com> wrote:
>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <ar...@maniatis.org> wrote:
>>> Did we change the javadoc build process to avoid the javadoc security flaw recently discovered? I patched the website javadocs, but I'm not sure if we also have to change something in our maven build process or upgrade some plugin.
>
> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <an...@objectstyle.org> wrote:
>> Me neither. Probably some research is in order. Should we take this to a separate thread?
>
> Maybe you can copy what some other project has done.
>
> I saw a notice about it for tomcat but I believe it is built with ant.
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
>
> That notice pointed to Lucene, but it says it was built with ivy.
>
> https://issues.apache.org/jira/browse/LUCENE-5072
>
> So I didn't find a pointer to a maven-based fix.