You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cayenne.apache.org by Mike Kienenberger <mk...@gmail.com> on 2013/07/09 15:12:09 UTC
javadoc security flaw
> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <ar...@maniatis.org> wrote:
>> Did we change the javadoc build process to avoid the javadoc security flaw recently discovered? I patched the website javadocs, but I'm not sure if we also have to change something in our maven build process or upgrade some plugin.
On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <an...@objectstyle.org> wrote:
> Me neither. Probably some research is in order. Should we take this to a separate thread?
Maybe you can copy what some other project has done.
I saw a notice about it for tomcat but I believe it is built with ant.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
That notice pointed to Lucene, but it says it was built with ivy.
https://issues.apache.org/jira/browse/LUCENE-5072
So I didn't find a pointer to a maven-based fix.
Re: javadoc security flaw
Posted by Mike Kienenberger <mk...@gmail.com>.
Maybe we can compare index / toc files before and after and see if
there's something obviously different:
index.htm
index.html
toc.htm
toc.html
On Tue, Jul 9, 2013 at 4:58 PM, Mike Kienenberger <mk...@gmail.com> wrote:
> I wasn't able to quickly determine how to detect or exploit this by
> reviewing the recent security advisories about the issue. Maybe
> someone else will have more time or better luck spotting the wanted
> info.
>
> http://www.kb.cert.org/vuls/id/225657
>
> http://xforce.iss.net/xforce/xfdb/84715
>
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
>
>
> On Tue, Jul 9, 2013 at 4:23 PM, Andrus Adamchik <an...@objectstyle.org> wrote:
>> Mike, thanks for the research. Just committed javadoc plugin upgrade to all active branches (CAY-1845). I hope we are all set. (wonder if this can be verified by checking the generated javadocs somehow?)
>>
>> Andrus
>>
>> On Jul 9, 2013, at 4:20 PM, Mike Kienenberger <mk...@gmail.com> wrote:
>>
>>> LUCENE's issue stated in the comments that the Oracle tool shouldn't
>>> be used (apparently it can be integrated with maven). It also stated
>>> that there was a simple way to duplicate the functionality using
>>> maven, but I didn't immediately see what that was:
>>>
>>> Here's the thread it had on that:
>>>
>>> https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185
>>>
>>> This seems to point to https://issues.apache.org/jira/browse/MPOM-46
>>> as one solution later on in the comments
>>>
>>> Which seems to be a matter of updating the maven-javadoc-plugin
>>> version from 2.9 to 2.9.1. Maybe that's all we need as well? If
>>> not, I'm guessing you could diff the changes between versions 2.9 to
>>> 2.9.1 and find the solution in a maven environment?
>>>
>>> http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692
>>>
>>> --- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691
>>> +++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692
>>> @@ -184,7 +184,7 @@
>>> <plugin>
>>> <groupId>org.apache.maven.plugins</groupId>
>>> <artifactId>maven-javadoc-plugin</artifactId>
>>> - <version>2.9</version>
>>> + <version>2.9.1</version>
>>> </plugin>
>>>
>>> On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <mk...@gmail.com> wrote:
>>>>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <ar...@maniatis.org> wrote:
>>>>>> Did we change the javadoc build process to avoid the javadoc security flaw recently discovered? I patched the website javadocs, but I'm not sure if we also have to change something in our maven build process or upgrade some plugin.
>>>>
>>>> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <an...@objectstyle.org> wrote:
>>>>> Me neither. Probably some research is in order. Should we take this to a separate thread?
>>>>
>>>> Maybe you can copy what some other project has done.
>>>>
>>>> I saw a notice about it for tomcat but I believe it is built with ant.
>>>>
>>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
>>>>
>>>> That notice pointed to Lucene, but it says it was built with ivy.
>>>>
>>>> https://issues.apache.org/jira/browse/LUCENE-5072
>>>>
>>>> So I didn't find a pointer to a maven-based fix.
>>>
>>
Re: javadoc security flaw
Posted by Richard Frovarp <rf...@apache.org>.
On 07/09/2013 03:58 PM, Mike Kienenberger wrote:
> I wasn't able to quickly determine how to detect or exploit this by
> reviewing the recent security advisories about the issue. Maybe
> someone else will have more time or better luck spotting the wanted
> info.
>
> http://www.kb.cert.org/vuls/id/225657
>
> http://xforce.iss.net/xforce/xfdb/84715
>
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
>
They released a tool that can be ran to check the Javadoc:
http://www.oracle.com/technetwork/java/javase/downloads/java-doc-updater-tool-1955731.html
That will fix the Javadoc, but it also can be used in a checking mode.
There is an issue under Legal's JIRA to determine if the tool could be
used automatically as part of a build or not. I'm not sure of the issue
number, or their determination.
Re: javadoc security flaw
Posted by Mike Kienenberger <mk...@gmail.com>.
I wasn't able to quickly determine how to detect or exploit this by
reviewing the recent security advisories about the issue. Maybe
someone else will have more time or better luck spotting the wanted
info.
http://www.kb.cert.org/vuls/id/225657
http://xforce.iss.net/xforce/xfdb/84715
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
On Tue, Jul 9, 2013 at 4:23 PM, Andrus Adamchik <an...@objectstyle.org> wrote:
> Mike, thanks for the research. Just committed javadoc plugin upgrade to all active branches (CAY-1845). I hope we are all set. (wonder if this can be verified by checking the generated javadocs somehow?)
>
> Andrus
>
> On Jul 9, 2013, at 4:20 PM, Mike Kienenberger <mk...@gmail.com> wrote:
>
>> LUCENE's issue stated in the comments that the Oracle tool shouldn't
>> be used (apparently it can be integrated with maven). It also stated
>> that there was a simple way to duplicate the functionality using
>> maven, but I didn't immediately see what that was:
>>
>> Here's the thread it had on that:
>>
>> https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185
>>
>> This seems to point to https://issues.apache.org/jira/browse/MPOM-46
>> as one solution later on in the comments
>>
>> Which seems to be a matter of updating the maven-javadoc-plugin
>> version from 2.9 to 2.9.1. Maybe that's all we need as well? If
>> not, I'm guessing you could diff the changes between versions 2.9 to
>> 2.9.1 and find the solution in a maven environment?
>>
>> http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692
>>
>> --- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691
>> +++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692
>> @@ -184,7 +184,7 @@
>> <plugin>
>> <groupId>org.apache.maven.plugins</groupId>
>> <artifactId>maven-javadoc-plugin</artifactId>
>> - <version>2.9</version>
>> + <version>2.9.1</version>
>> </plugin>
>>
>> On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <mk...@gmail.com> wrote:
>>>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <ar...@maniatis.org> wrote:
>>>>> Did we change the javadoc build process to avoid the javadoc security flaw recently discovered? I patched the website javadocs, but I'm not sure if we also have to change something in our maven build process or upgrade some plugin.
>>>
>>> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <an...@objectstyle.org> wrote:
>>>> Me neither. Probably some research is in order. Should we take this to a separate thread?
>>>
>>> Maybe you can copy what some other project has done.
>>>
>>> I saw a notice about it for tomcat but I believe it is built with ant.
>>>
>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
>>>
>>> That notice pointed to Lucene, but it says it was built with ivy.
>>>
>>> https://issues.apache.org/jira/browse/LUCENE-5072
>>>
>>> So I didn't find a pointer to a maven-based fix.
>>
>
Re: javadoc security flaw
Posted by Andrus Adamchik <an...@objectstyle.org>.
Mike, thanks for the research. Just committed javadoc plugin upgrade to all active branches (CAY-1845). I hope we are all set. (wonder if this can be verified by checking the generated javadocs somehow?)
Andrus
On Jul 9, 2013, at 4:20 PM, Mike Kienenberger <mk...@gmail.com> wrote:
> LUCENE's issue stated in the comments that the Oracle tool shouldn't
> be used (apparently it can be integrated with maven). It also stated
> that there was a simple way to duplicate the functionality using
> maven, but I didn't immediately see what that was:
>
> Here's the thread it had on that:
>
> https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185
>
> This seems to point to https://issues.apache.org/jira/browse/MPOM-46
> as one solution later on in the comments
>
> Which seems to be a matter of updating the maven-javadoc-plugin
> version from 2.9 to 2.9.1. Maybe that's all we need as well? If
> not, I'm guessing you could diff the changes between versions 2.9 to
> 2.9.1 and find the solution in a maven environment?
>
> http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692
>
> --- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691
> +++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692
> @@ -184,7 +184,7 @@
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-javadoc-plugin</artifactId>
> - <version>2.9</version>
> + <version>2.9.1</version>
> </plugin>
>
> On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <mk...@gmail.com> wrote:
>>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <ar...@maniatis.org> wrote:
>>>> Did we change the javadoc build process to avoid the javadoc security flaw recently discovered? I patched the website javadocs, but I'm not sure if we also have to change something in our maven build process or upgrade some plugin.
>>
>> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <an...@objectstyle.org> wrote:
>>> Me neither. Probably some research is in order. Should we take this to a separate thread?
>>
>> Maybe you can copy what some other project has done.
>>
>> I saw a notice about it for tomcat but I believe it is built with ant.
>>
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
>>
>> That notice pointed to Lucene, but it says it was built with ivy.
>>
>> https://issues.apache.org/jira/browse/LUCENE-5072
>>
>> So I didn't find a pointer to a maven-based fix.
>
Re: javadoc security flaw
Posted by Mike Kienenberger <mk...@gmail.com>.
LUCENE's issue stated in the comments that the Oracle tool shouldn't
be used (apparently it can be integrated with maven). It also stated
that there was a simple way to duplicate the functionality using
maven, but I didn't immediately see what that was:
Here's the thread it had on that:
https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185
This seems to point to https://issues.apache.org/jira/browse/MPOM-46
as one solution later on in the comments
Which seems to be a matter of updating the maven-javadoc-plugin
version from 2.9 to 2.9.1. Maybe that's all we need as well? If
not, I'm guessing you could diff the changes between versions 2.9 to
2.9.1 and find the solution in a maven environment?
http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692
--- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691
+++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692
@@ -184,7 +184,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
- <version>2.9</version>
+ <version>2.9.1</version>
</plugin>
On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <mk...@gmail.com> wrote:
>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <ar...@maniatis.org> wrote:
>>> Did we change the javadoc build process to avoid the javadoc security flaw recently discovered? I patched the website javadocs, but I'm not sure if we also have to change something in our maven build process or upgrade some plugin.
>
> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <an...@objectstyle.org> wrote:
>> Me neither. Probably some research is in order. Should we take this to a separate thread?
>
> Maybe you can copy what some other project has done.
>
> I saw a notice about it for tomcat but I believe it is built with ant.
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
>
> That notice pointed to Lucene, but it says it was built with ivy.
>
> https://issues.apache.org/jira/browse/LUCENE-5072
>
> So I didn't find a pointer to a maven-based fix.