You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@chukwa.apache.org by Ariel Rabkin <as...@gmail.com> on 2013/06/25 05:24:22 UTC
Fwd: [SECURITY] Frame injection vulnerability in published Javadoc
I don't understand how serious a problem this is. Do we need to do
anything about this?
Anybody want to take the lead and re-compile our javadoc?
--Ari
---------- Forwarded message ----------
From: Mark Thomas <ma...@apache.org>
Date: Thu, Jun 20, 2013 at 4:29 AM
Subject: [SECURITY] Frame injection vulnerability in published Javadoc
To: committers@apache.org
Cc: root@apache.org
Hi All,
Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
generated by Java 5, Java 6 and Java 7 before update 22.
The infrastructure team has completed a scan of our current project
websites and identified over 6000 instances of vulnerable Javadoc
distributed across most TLPs. The chances are the project(s) you
contribute to is(are) affected. A list of projects and the number of
affected Javadoc instances per project is provided at the end of this
e-mail.
Please take the necessary steps to fix any currently published Javadoc
and to ensure that any future Javadoc published by your project does not
contain the vulnerability. The announcement by Oracle includes a link to
a tool that can be used to fix Javadoc without regeneration.
The infrastructure team is investigating options for preventing the
publication of vulnerable Javadoc.
The issue is public and may be discussed freely on your project's dev list.
Thanks,
Mark (ASF Infra)
[1]
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
[2] http://www.kb.cert.org/vuls/id/225657
--
Ari Rabkin asrabkin@gmail.com
Princeton Computer Science Department
Re: [SECURITY] Frame injection vulnerability in published Javadoc
Posted by "Alan D. Cabrera" <li...@toolazydogs.com>.
Thanks for taking care of this Eric!
Regards,
Alan
On Jun 30, 2013, at 1:29 PM, Eric Yang <er...@gmail.com> wrote:
> CHUKWA-689 is filed to track the progress of the doc generation.
>
>
> On Sun, Jun 30, 2013 at 10:11 AM, Eric Yang <er...@gmail.com> wrote:
>
>> First, we need to get pub sub working for our website publishing. I filed
>> a infrastructure ticket for this:
>>
>> https://issues.apache.org/jira/browse/INFRA-6480
>>
>> While this is happening in parallel, we can regenerate:
>>
>> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.1.2/api
>> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.3.0/api
>> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.4.0/api
>> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.5.0/api
>>
>> With newer Java.
>>
>> Last, we also need to update the latest distribution mechanism in pom.xml
>> to update svn source tree instead.
>>
>> I will take care of doc generation later today, if I find the time.
>>
>> regards,
>> Eric
>>
>>
>> On Sun, Jun 30, 2013 at 8:05 AM, Alan Cabrera <li...@toolazydogs.com>wrote:
>>
>>>
>>> On Jun 24, 2013, at 8:24 PM, Ariel Rabkin <as...@gmail.com> wrote:
>>>
>>>> I don't understand how serious a problem this is. Do we need to do
>>>> anything about this?
>>>
>>> This comes as a mandate from security so we must, if we are affected by
>>> it.
>>>
>>>> Anybody want to take the lead and re-compile our javadoc?
>>>
>>> /me looks at his shoes and slowly shuffles backward.
>>>
>>> Think of this as an opportunity to do another release? :)
>>>
>>>
>>> Regards,
>>> Alan
>>>
>>>>
>>>> --Ari
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Mark Thomas <ma...@apache.org>
>>>> Date: Thu, Jun 20, 2013 at 4:29 AM
>>>> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
>>>> To: committers@apache.org
>>>> Cc: root@apache.org
>>>>
>>>>
>>>> Hi All,
>>>>
>>>> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
>>>> generated by Java 5, Java 6 and Java 7 before update 22.
>>>>
>>>> The infrastructure team has completed a scan of our current project
>>>> websites and identified over 6000 instances of vulnerable Javadoc
>>>> distributed across most TLPs. The chances are the project(s) you
>>>> contribute to is(are) affected. A list of projects and the number of
>>>> affected Javadoc instances per project is provided at the end of this
>>>> e-mail.
>>>>
>>>> Please take the necessary steps to fix any currently published Javadoc
>>>> and to ensure that any future Javadoc published by your project does not
>>>> contain the vulnerability. The announcement by Oracle includes a link to
>>>> a tool that can be used to fix Javadoc without regeneration.
>>>>
>>>> The infrastructure team is investigating options for preventing the
>>>> publication of vulnerable Javadoc.
>>>>
>>>> The issue is public and may be discussed freely on your project's dev
>>> list.
>>>>
>>>> Thanks,
>>>>
>>>> Mark (ASF Infra)
>>>>
>>>>
>>>>
>>>> [1]
>>>>
>>> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
>>>> [2] http://www.kb.cert.org/vuls/id/225657
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Ari Rabkin asrabkin@gmail.com
>>>> Princeton Computer Science Department
>>>
>>>
>>
Re: [SECURITY] Frame injection vulnerability in published Javadoc
Posted by Eric Yang <er...@gmail.com>.
CHUKWA-689 is filed to track the progress of the doc generation.
On Sun, Jun 30, 2013 at 10:11 AM, Eric Yang <er...@gmail.com> wrote:
> First, we need to get pub sub working for our website publishing. I filed
> a infrastructure ticket for this:
>
> https://issues.apache.org/jira/browse/INFRA-6480
>
> While this is happening in parallel, we can regenerate:
>
> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.1.2/api
> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.3.0/api
> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.4.0/api
> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.5.0/api
>
> With newer Java.
>
> Last, we also need to update the latest distribution mechanism in pom.xml
> to update svn source tree instead.
>
> I will take care of doc generation later today, if I find the time.
>
> regards,
> Eric
>
>
> On Sun, Jun 30, 2013 at 8:05 AM, Alan Cabrera <li...@toolazydogs.com>wrote:
>
>>
>> On Jun 24, 2013, at 8:24 PM, Ariel Rabkin <as...@gmail.com> wrote:
>>
>> > I don't understand how serious a problem this is. Do we need to do
>> > anything about this?
>>
>> This comes as a mandate from security so we must, if we are affected by
>> it.
>>
>> > Anybody want to take the lead and re-compile our javadoc?
>>
>> /me looks at his shoes and slowly shuffles backward.
>>
>> Think of this as an opportunity to do another release? :)
>>
>>
>> Regards,
>> Alan
>>
>> >
>> > --Ari
>> >
>> > ---------- Forwarded message ----------
>> > From: Mark Thomas <ma...@apache.org>
>> > Date: Thu, Jun 20, 2013 at 4:29 AM
>> > Subject: [SECURITY] Frame injection vulnerability in published Javadoc
>> > To: committers@apache.org
>> > Cc: root@apache.org
>> >
>> >
>> > Hi All,
>> >
>> > Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
>> > generated by Java 5, Java 6 and Java 7 before update 22.
>> >
>> > The infrastructure team has completed a scan of our current project
>> > websites and identified over 6000 instances of vulnerable Javadoc
>> > distributed across most TLPs. The chances are the project(s) you
>> > contribute to is(are) affected. A list of projects and the number of
>> > affected Javadoc instances per project is provided at the end of this
>> > e-mail.
>> >
>> > Please take the necessary steps to fix any currently published Javadoc
>> > and to ensure that any future Javadoc published by your project does not
>> > contain the vulnerability. The announcement by Oracle includes a link to
>> > a tool that can be used to fix Javadoc without regeneration.
>> >
>> > The infrastructure team is investigating options for preventing the
>> > publication of vulnerable Javadoc.
>> >
>> > The issue is public and may be discussed freely on your project's dev
>> list.
>> >
>> > Thanks,
>> >
>> > Mark (ASF Infra)
>> >
>> >
>> >
>> > [1]
>> >
>> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
>> > [2] http://www.kb.cert.org/vuls/id/225657
>> >
>> >
>> >
>> >
>> > --
>> > Ari Rabkin asrabkin@gmail.com
>> > Princeton Computer Science Department
>>
>>
>
Re: [SECURITY] Frame injection vulnerability in published Javadoc
Posted by Eric Yang <er...@gmail.com>.
First, we need to get pub sub working for our website publishing. I filed
a infrastructure ticket for this:
https://issues.apache.org/jira/browse/INFRA-6480
While this is happening in parallel, we can regenerate:
https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.1.2/api
https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.3.0/api
https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.4.0/api
https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.5.0/api
With newer Java.
Last, we also need to update the latest distribution mechanism in pom.xml
to update svn source tree instead.
I will take care of doc generation later today, if I find the time.
regards,
Eric
On Sun, Jun 30, 2013 at 8:05 AM, Alan Cabrera <li...@toolazydogs.com> wrote:
>
> On Jun 24, 2013, at 8:24 PM, Ariel Rabkin <as...@gmail.com> wrote:
>
> > I don't understand how serious a problem this is. Do we need to do
> > anything about this?
>
> This comes as a mandate from security so we must, if we are affected by it.
>
> > Anybody want to take the lead and re-compile our javadoc?
>
> /me looks at his shoes and slowly shuffles backward.
>
> Think of this as an opportunity to do another release? :)
>
>
> Regards,
> Alan
>
> >
> > --Ari
> >
> > ---------- Forwarded message ----------
> > From: Mark Thomas <ma...@apache.org>
> > Date: Thu, Jun 20, 2013 at 4:29 AM
> > Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> > To: committers@apache.org
> > Cc: root@apache.org
> >
> >
> > Hi All,
> >
> > Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> > generated by Java 5, Java 6 and Java 7 before update 22.
> >
> > The infrastructure team has completed a scan of our current project
> > websites and identified over 6000 instances of vulnerable Javadoc
> > distributed across most TLPs. The chances are the project(s) you
> > contribute to is(are) affected. A list of projects and the number of
> > affected Javadoc instances per project is provided at the end of this
> > e-mail.
> >
> > Please take the necessary steps to fix any currently published Javadoc
> > and to ensure that any future Javadoc published by your project does not
> > contain the vulnerability. The announcement by Oracle includes a link to
> > a tool that can be used to fix Javadoc without regeneration.
> >
> > The infrastructure team is investigating options for preventing the
> > publication of vulnerable Javadoc.
> >
> > The issue is public and may be discussed freely on your project's dev
> list.
> >
> > Thanks,
> >
> > Mark (ASF Infra)
> >
> >
> >
> > [1]
> >
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
> > [2] http://www.kb.cert.org/vuls/id/225657
> >
> >
> >
> >
> > --
> > Ari Rabkin asrabkin@gmail.com
> > Princeton Computer Science Department
>
>
Re: [SECURITY] Frame injection vulnerability in published Javadoc
Posted by Alan Cabrera <li...@toolazydogs.com>.
On Jun 24, 2013, at 8:24 PM, Ariel Rabkin <as...@gmail.com> wrote:
> I don't understand how serious a problem this is. Do we need to do
> anything about this?
This comes as a mandate from security so we must, if we are affected by it.
> Anybody want to take the lead and re-compile our javadoc?
/me looks at his shoes and slowly shuffles backward.
Think of this as an opportunity to do another release? :)
Regards,
Alan
>
> --Ari
>
> ---------- Forwarded message ----------
> From: Mark Thomas <ma...@apache.org>
> Date: Thu, Jun 20, 2013 at 4:29 AM
> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> To: committers@apache.org
> Cc: root@apache.org
>
>
> Hi All,
>
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
>
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc
> distributed across most TLPs. The chances are the project(s) you
> contribute to is(are) affected. A list of projects and the number of
> affected Javadoc instances per project is provided at the end of this
> e-mail.
>
> Please take the necessary steps to fix any currently published Javadoc
> and to ensure that any future Javadoc published by your project does not
> contain the vulnerability. The announcement by Oracle includes a link to
> a tool that can be used to fix Javadoc without regeneration.
>
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
>
> The issue is public and may be discussed freely on your project's dev list.
>
> Thanks,
>
> Mark (ASF Infra)
>
>
>
> [1]
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
> [2] http://www.kb.cert.org/vuls/id/225657
>
>
>
>
> --
> Ari Rabkin asrabkin@gmail.com
> Princeton Computer Science Department