You are viewing a plain text version of this content. The canonical link for it is here.
Posted to builds@apache.org by Sergio Fernández <se...@salzburgresearch.at> on 2013/06/23 18:31:18 UTC
Fwd: [SECURITY] Frame injection vulnerability in published Javadoc
Hi,
regarding the security issue forwarded, I'd like to ask how a project
using buildbot+maven should proceed.
I've just update marmotta staging site, but the generated javadoc there
still contains the buggy code:
http://marmotta.staging.apache.org/apidocs/index.html
Thanks in advance for any clue.
Cheers,
-------- Original Message --------
Subject: [SECURITY] Frame injection vulnerability in published Javadoc
Date: Thu, 20 Jun 2013 09:29:23 +0100
From: Mark Thomas <ma...@apache.org>
Reply-To: infrastructure@apache.org <in...@apache.org>
To: committers@apache.org
CC: root@apache.org
Hi All,
Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
generated by Java 5, Java 6 and Java 7 before update 22.
The infrastructure team has completed a scan of our current project
websites and identified over 6000 instances of vulnerable Javadoc
distributed across most TLPs. The chances are the project(s) you
contribute to is(are) affected. A list of projects and the number of
affected Javadoc instances per project is provided at the end of this
e-mail.
Please take the necessary steps to fix any currently published Javadoc
and to ensure that any future Javadoc published by your project does not
contain the vulnerability. The announcement by Oracle includes a link to
a tool that can be used to fix Javadoc without regeneration.
The infrastructure team is investigating options for preventing the
publication of vulnerable Javadoc.
The issue is public and may be discussed freely on your project's dev list.
Thanks,
Mark (ASF Infra)
[1]
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
[2] http://www.kb.cert.org/vuls/id/225657
Project Instances
abdera.apache.org 1
accumulo.apache.org 2
activemq.apache.org 105
any23.apache.org 13
archiva.apache.org 4
archive.apache.org 13
aries.apache.org 7
avro.apache.org 23
axis.apache.org 5
beehive.apache.org 16
bval.apache.org 12
camel.apache.org 786
cayenne.apache.org 4
chemistry.apache.org 6
click.apache.org 3
cocoon.apache.org 6
commons.apache.org 34
continuum.apache.org 9
creadur.apache.org 19
crunch.apache.org 4
ctakes.apache.org 2
curator.apache.org 4
cxf.apache.org 6
db.apache.org 39
directory.apache.org 4
empire-db.apache.org 1
felix.apache.org 5
flume.apache.org 5
geronimo.apache.org 241
giraph.apache.org 6
gora.apache.org 3
hadoop.apache.org 21
hbase.apache.org 2
hive.apache.org 4
hivemind.apache.org 10
incubator.apache.org 355
jackrabbit.apache.org 9
jakarta.apache.org 39
james.apache.org 53
jena.apache.org 5
juddi.apache.org 3
lenya.apache.org 46
logging.apache.org 111
lucene.apache.org 713
manifoldcf.apache.org 112
marmotta.apache.org 1
maven.apache.org 1623
maventest.apache.org 1178
mina.apache.org 2
mrunit.apache.org 3
myfaces.apache.org 348
nutch.apache.org 8
oltu.apache.org 11
oodt.apache.org 1
ooo-site.apache.org 1
oozie.apache.org 10
openjpa.apache.org 20
opennlp.apache.org 9
pdfbox.apache.org 1
pig.apache.org 7
pivot.apache.org 1
poi.apache.org 1
portals.apache.org 35
river.apache.org 2
santuario.apache.org 1
shale.apache.org 55
shiro.apache.org 3
sling.apache.org 2
sqoop.apache.org 4
struts.apache.org 190
subversion.apache.org 3
synapse.apache.org 1
syncope.apache.org 2
tapestry.apache.org 6
tika.apache.org 9
tiles.apache.org 12
turbine.apache.org 100
tuscany.apache.org 4
uima.apache.org 12
velocity.apache.org 41
whirr.apache.org 2
wicket.apache.org 3
wink.apache.org 13
ws.apache.org 22
xalan.apache.org 1
xerces.apache.org 5
xml.apache.org 1
xmlbeans.apache.org 3
zookeeper.apache.org 18
--
Sergio Fernández
Salzburg Research
+43 662 2288 318
Jakob-Haringer Strasse 5/II
A-5020 Salzburg (Austria)
http://www.salzburgresearch.at
Re: [SECURITY] Frame injection vulnerability in published Javadoc
Posted by Sergio Fernández <se...@salzburgresearch.at>.
confirmed that maven-javadoc-plugin:2.9.1 solves the issue
see MARMOTTA-263 for further details
On 24/06/13 12:12, Uwe Schindler wrote:
> Hi,
>
> A possible solution for Maven until MJAVADOC-370 is part of an official release may be to use my ANT task using the ANTrunner plugin in Maven:
> http://maven.apache.org/plugins/maven-antrun-plugin/
> Just call my Lucene ANT macro from there, parametrizing the dir= and encoding= from maven properties.
>
>> Generated by javadoc (build 1.6.0_32) on Sun Jun 23 16:32:14 UTC 2013
>
> This comes from JAVA_HOME, so you could grep on that an fail the build...
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
>> -----Original Message-----
>> From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
>> Sent: Monday, June 24, 2013 11:53 AM
>> To: builds@apache.org
>> Cc: Uwe Schindler
>> Subject: Re: [SECURITY] Frame injection vulnerability in published Javadoc
>>
>> Thanks Uwe for the hints.
>>
>> We tried to force java7 from the pom, but the site plugins looks to ignore the
>> regular settings source code, at least there, because I can see in the source
>> code of generated javadoc:
>>
>> Generated by javadoc (build 1.6.0_32) on Sun Jun 23 16:32:14 UTC 2013
>>
>> AFAIK maven looks the javadoc binary from the JAVA_HOME; how could I
>> check with value is taking there? Because this could be the quickest solution,
>> meanwhile MJAVADOC-370 is solved.
>>
>> Cheers,
>>
>>
>>
>> On 23/06/13 18:57, Uwe Schindler wrote:
>>> The Maven issue is here: https://jira.codehaus.org/browse/MJAVADOC-
>> 370
>>>
>>> -----
>>> Uwe Schindler
>>> H.-H.-Meier-Allee 63, D-28213 Bremen
>>> http://www.thetaphi.de
>>> eMail: uwe@thetaphi.de
>>>
>>>
>>>> -----Original Message-----
>>>> From: Uwe Schindler [mailto:uwe@thetaphi.de]
>>>> Sent: Sunday, June 23, 2013 6:55 PM
>>>> To: builds@apache.org
>>>> Subject: RE: [SECURITY] Frame injection vulnerability in published
>>>> Javadoc
>>>>
>>>> Hi,
>>>>
>>>> once Lucene's bug is commited (see
>>>> https://issues.apache.org/jira/browse/LUCENE-5072), we have no
>>>> problem anymore. For Maven-builds there is already an issue open on
>>>> the javadoc plugin to implement fixing directly inside the javadoc
>>>> plugin. I contributed a patch there already.
>>>>
>>>> The big issue is: We can only fix Jenkins to create correct Javadocs
>>>> on Java 7 build, but Java 6 and Java 5 builds have no recent JDK
>>>> available that fixes the build (except Apple JDK 6 - argh!). The only
>>>> way is to fix the build in the projects to post-process javadocs
>>>> after generating them. The issue could be solved for Maven projects
>>>> by a plugin upgrade once it is released and for ANT project using the
>>>> snippet here: http://goo.gl/dq3LJ
>>>>
>>>> Uwe
>>>>
>>>> -----
>>>> Uwe Schindler
>>>> H.-H.-Meier-Allee 63, D-28213 Bremen
>>>> http://www.thetaphi.de
>>>> eMail: uwe@thetaphi.de
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
>>>>> Sent: Sunday, June 23, 2013 6:31 PM
>>>>> To: builds@apache.org
>>>>> Subject: Fwd: [SECURITY] Frame injection vulnerability in published
>>>>> Javadoc
>>>>>
>>>>> Hi,
>>>>>
>>>>> regarding the security issue forwarded, I'd like to ask how a
>>>>> project using
>>>>> buildbot+maven should proceed.
>>>>>
>>>>> I've just update marmotta staging site, but the generated javadoc
>>>>> there still contains the buggy code:
>>>>>
>>>>> http://marmotta.staging.apache.org/apidocs/index.html
>>>>>
>>>>> Thanks in advance for any clue.
>>>>>
>>>>> Cheers,
>>>>>
>>>>>
>>>>>
>>>>> -------- Original Message --------
>>>>> Subject: [SECURITY] Frame injection vulnerability in published
>>>>> Javadoc
>>>>> Date: Thu, 20 Jun 2013 09:29:23 +0100
>>>>> From: Mark Thomas <ma...@apache.org>
>>>>> Reply-To: infrastructure@apache.org <in...@apache.org>
>>>>> To: committers@apache.org
>>>>> CC: root@apache.org
>>>>>
>>>>> Hi All,
>>>>>
>>>>> Oracle has announced [1], [2] a frame injection vulnerability in
>>>>> Javadoc generated by Java 5, Java 6 and Java 7 before update 22.
>>>>>
>>>>> The infrastructure team has completed a scan of our current project
>>>>> websites and identified over 6000 instances of vulnerable Javadoc
>>>>> distributed across most TLPs. The chances are the project(s) you
>>>>> contribute to is(are) affected. A list of projects and the number of
>>>>> affected Javadoc instances per project is provided at the end of this e-
>> mail.
>>>>>
>>>>> Please take the necessary steps to fix any currently published
>>>>> Javadoc and to ensure that any future Javadoc published by your
>>>>> project does not contain the vulnerability. The announcement by
>>>>> Oracle includes a link to a tool that can be used to fix Javadoc without
>> regeneration.
>>>>>
>>>>> The infrastructure team is investigating options for preventing the
>>>>> publication of vulnerable Javadoc.
>>>>>
>>>>> The issue is public and may be discussed freely on your project's dev list.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Mark (ASF Infra)
>>>>>
>>>>>
>>>>>
>>>>> [1]
>>>>> http://www.oracle.com/technetwork/topics/security/javacpujun2013-
>>>>> 1899847.html
>>>>> [2] http://www.kb.cert.org/vuls/id/225657
>>>>>
>>>>> Project Instances
>>>>> abdera.apache.org 1
>>>>> accumulo.apache.org 2
>>>>> activemq.apache.org 105
>>>>> any23.apache.org 13
>>>>> archiva.apache.org 4
>>>>> archive.apache.org 13
>>>>> aries.apache.org 7
>>>>> avro.apache.org 23
>>>>> axis.apache.org 5
>>>>> beehive.apache.org 16
>>>>> bval.apache.org 12
>>>>> camel.apache.org 786
>>>>> cayenne.apache.org 4
>>>>> chemistry.apache.org 6
>>>>> click.apache.org 3
>>>>> cocoon.apache.org 6
>>>>> commons.apache.org 34
>>>>> continuum.apache.org 9
>>>>> creadur.apache.org 19
>>>>> crunch.apache.org 4
>>>>> ctakes.apache.org 2
>>>>> curator.apache.org 4
>>>>> cxf.apache.org 6
>>>>> db.apache.org 39
>>>>> directory.apache.org 4
>>>>> empire-db.apache.org 1
>>>>> felix.apache.org 5
>>>>> flume.apache.org 5
>>>>> geronimo.apache.org 241
>>>>> giraph.apache.org 6
>>>>> gora.apache.org 3
>>>>> hadoop.apache.org 21
>>>>> hbase.apache.org 2
>>>>> hive.apache.org 4
>>>>> hivemind.apache.org 10
>>>>> incubator.apache.org 355
>>>>> jackrabbit.apache.org 9
>>>>> jakarta.apache.org 39
>>>>> james.apache.org 53
>>>>> jena.apache.org 5
>>>>> juddi.apache.org 3
>>>>> lenya.apache.org 46
>>>>> logging.apache.org 111
>>>>> lucene.apache.org 713
>>>>> manifoldcf.apache.org 112
>>>>> marmotta.apache.org 1
>>>>> maven.apache.org 1623
>>>>> maventest.apache.org 1178
>>>>> mina.apache.org 2
>>>>> mrunit.apache.org 3
>>>>> myfaces.apache.org 348
>>>>> nutch.apache.org 8
>>>>> oltu.apache.org 11
>>>>> oodt.apache.org 1
>>>>> ooo-site.apache.org 1
>>>>> oozie.apache.org 10
>>>>> openjpa.apache.org 20
>>>>> opennlp.apache.org 9
>>>>> pdfbox.apache.org 1
>>>>> pig.apache.org 7
>>>>> pivot.apache.org 1
>>>>> poi.apache.org 1
>>>>> portals.apache.org 35
>>>>> river.apache.org 2
>>>>> santuario.apache.org 1
>>>>> shale.apache.org 55
>>>>> shiro.apache.org 3
>>>>> sling.apache.org 2
>>>>> sqoop.apache.org 4
>>>>> struts.apache.org 190
>>>>> subversion.apache.org 3
>>>>> synapse.apache.org 1
>>>>> syncope.apache.org 2
>>>>> tapestry.apache.org 6
>>>>> tika.apache.org 9
>>>>> tiles.apache.org 12
>>>>> turbine.apache.org 100
>>>>> tuscany.apache.org 4
>>>>> uima.apache.org 12
>>>>> velocity.apache.org 41
>>>>> whirr.apache.org 2
>>>>> wicket.apache.org 3
>>>>> wink.apache.org 13
>>>>> ws.apache.org 22
>>>>> xalan.apache.org 1
>>>>> xerces.apache.org 5
>>>>> xml.apache.org 1
>>>>> xmlbeans.apache.org 3
>>>>> zookeeper.apache.org 18
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Sergio Fernández
>>>>> Salzburg Research
>>>>> +43 662 2288 318
>>>>> Jakob-Haringer Strasse 5/II
>>>>> A-5020 Salzburg (Austria)
>>>>> http://www.salzburgresearch.at
>>>
>>>
>>
>> --
>> Sergio Fernández
>> Salzburg Research
>> +43 662 2288 318
>> Jakob-Haringer Strasse 5/II
>> A-5020 Salzburg (Austria)
>> http://www.salzburgresearch.at
>
--
Sergio Fernández
Salzburg Research
+43 662 2288 318
Jakob-Haringer Strasse 5/II
A-5020 Salzburg (Austria)
http://www.salzburgresearch.at
RE: [SECURITY] Frame injection vulnerability in published Javadoc
Posted by Uwe Schindler <uw...@thetaphi.de>.
Hi,
A possible solution for Maven until MJAVADOC-370 is part of an official release may be to use my ANT task using the ANTrunner plugin in Maven:
http://maven.apache.org/plugins/maven-antrun-plugin/
Just call my Lucene ANT macro from there, parametrizing the dir= and encoding= from maven properties.
> Generated by javadoc (build 1.6.0_32) on Sun Jun 23 16:32:14 UTC 2013
This comes from JAVA_HOME, so you could grep on that an fail the build...
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
> Sent: Monday, June 24, 2013 11:53 AM
> To: builds@apache.org
> Cc: Uwe Schindler
> Subject: Re: [SECURITY] Frame injection vulnerability in published Javadoc
>
> Thanks Uwe for the hints.
>
> We tried to force java7 from the pom, but the site plugins looks to ignore the
> regular settings source code, at least there, because I can see in the source
> code of generated javadoc:
>
> Generated by javadoc (build 1.6.0_32) on Sun Jun 23 16:32:14 UTC 2013
>
> AFAIK maven looks the javadoc binary from the JAVA_HOME; how could I
> check with value is taking there? Because this could be the quickest solution,
> meanwhile MJAVADOC-370 is solved.
>
> Cheers,
>
>
>
> On 23/06/13 18:57, Uwe Schindler wrote:
> > The Maven issue is here: https://jira.codehaus.org/browse/MJAVADOC-
> 370
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe@thetaphi.de
> >
> >
> >> -----Original Message-----
> >> From: Uwe Schindler [mailto:uwe@thetaphi.de]
> >> Sent: Sunday, June 23, 2013 6:55 PM
> >> To: builds@apache.org
> >> Subject: RE: [SECURITY] Frame injection vulnerability in published
> >> Javadoc
> >>
> >> Hi,
> >>
> >> once Lucene's bug is commited (see
> >> https://issues.apache.org/jira/browse/LUCENE-5072), we have no
> >> problem anymore. For Maven-builds there is already an issue open on
> >> the javadoc plugin to implement fixing directly inside the javadoc
> >> plugin. I contributed a patch there already.
> >>
> >> The big issue is: We can only fix Jenkins to create correct Javadocs
> >> on Java 7 build, but Java 6 and Java 5 builds have no recent JDK
> >> available that fixes the build (except Apple JDK 6 - argh!). The only
> >> way is to fix the build in the projects to post-process javadocs
> >> after generating them. The issue could be solved for Maven projects
> >> by a plugin upgrade once it is released and for ANT project using the
> >> snippet here: http://goo.gl/dq3LJ
> >>
> >> Uwe
> >>
> >> -----
> >> Uwe Schindler
> >> H.-H.-Meier-Allee 63, D-28213 Bremen
> >> http://www.thetaphi.de
> >> eMail: uwe@thetaphi.de
> >>
> >>
> >>> -----Original Message-----
> >>> From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
> >>> Sent: Sunday, June 23, 2013 6:31 PM
> >>> To: builds@apache.org
> >>> Subject: Fwd: [SECURITY] Frame injection vulnerability in published
> >>> Javadoc
> >>>
> >>> Hi,
> >>>
> >>> regarding the security issue forwarded, I'd like to ask how a
> >>> project using
> >>> buildbot+maven should proceed.
> >>>
> >>> I've just update marmotta staging site, but the generated javadoc
> >>> there still contains the buggy code:
> >>>
> >>> http://marmotta.staging.apache.org/apidocs/index.html
> >>>
> >>> Thanks in advance for any clue.
> >>>
> >>> Cheers,
> >>>
> >>>
> >>>
> >>> -------- Original Message --------
> >>> Subject: [SECURITY] Frame injection vulnerability in published
> >>> Javadoc
> >>> Date: Thu, 20 Jun 2013 09:29:23 +0100
> >>> From: Mark Thomas <ma...@apache.org>
> >>> Reply-To: infrastructure@apache.org <in...@apache.org>
> >>> To: committers@apache.org
> >>> CC: root@apache.org
> >>>
> >>> Hi All,
> >>>
> >>> Oracle has announced [1], [2] a frame injection vulnerability in
> >>> Javadoc generated by Java 5, Java 6 and Java 7 before update 22.
> >>>
> >>> The infrastructure team has completed a scan of our current project
> >>> websites and identified over 6000 instances of vulnerable Javadoc
> >>> distributed across most TLPs. The chances are the project(s) you
> >>> contribute to is(are) affected. A list of projects and the number of
> >>> affected Javadoc instances per project is provided at the end of this e-
> mail.
> >>>
> >>> Please take the necessary steps to fix any currently published
> >>> Javadoc and to ensure that any future Javadoc published by your
> >>> project does not contain the vulnerability. The announcement by
> >>> Oracle includes a link to a tool that can be used to fix Javadoc without
> regeneration.
> >>>
> >>> The infrastructure team is investigating options for preventing the
> >>> publication of vulnerable Javadoc.
> >>>
> >>> The issue is public and may be discussed freely on your project's dev list.
> >>>
> >>> Thanks,
> >>>
> >>> Mark (ASF Infra)
> >>>
> >>>
> >>>
> >>> [1]
> >>> http://www.oracle.com/technetwork/topics/security/javacpujun2013-
> >>> 1899847.html
> >>> [2] http://www.kb.cert.org/vuls/id/225657
> >>>
> >>> Project Instances
> >>> abdera.apache.org 1
> >>> accumulo.apache.org 2
> >>> activemq.apache.org 105
> >>> any23.apache.org 13
> >>> archiva.apache.org 4
> >>> archive.apache.org 13
> >>> aries.apache.org 7
> >>> avro.apache.org 23
> >>> axis.apache.org 5
> >>> beehive.apache.org 16
> >>> bval.apache.org 12
> >>> camel.apache.org 786
> >>> cayenne.apache.org 4
> >>> chemistry.apache.org 6
> >>> click.apache.org 3
> >>> cocoon.apache.org 6
> >>> commons.apache.org 34
> >>> continuum.apache.org 9
> >>> creadur.apache.org 19
> >>> crunch.apache.org 4
> >>> ctakes.apache.org 2
> >>> curator.apache.org 4
> >>> cxf.apache.org 6
> >>> db.apache.org 39
> >>> directory.apache.org 4
> >>> empire-db.apache.org 1
> >>> felix.apache.org 5
> >>> flume.apache.org 5
> >>> geronimo.apache.org 241
> >>> giraph.apache.org 6
> >>> gora.apache.org 3
> >>> hadoop.apache.org 21
> >>> hbase.apache.org 2
> >>> hive.apache.org 4
> >>> hivemind.apache.org 10
> >>> incubator.apache.org 355
> >>> jackrabbit.apache.org 9
> >>> jakarta.apache.org 39
> >>> james.apache.org 53
> >>> jena.apache.org 5
> >>> juddi.apache.org 3
> >>> lenya.apache.org 46
> >>> logging.apache.org 111
> >>> lucene.apache.org 713
> >>> manifoldcf.apache.org 112
> >>> marmotta.apache.org 1
> >>> maven.apache.org 1623
> >>> maventest.apache.org 1178
> >>> mina.apache.org 2
> >>> mrunit.apache.org 3
> >>> myfaces.apache.org 348
> >>> nutch.apache.org 8
> >>> oltu.apache.org 11
> >>> oodt.apache.org 1
> >>> ooo-site.apache.org 1
> >>> oozie.apache.org 10
> >>> openjpa.apache.org 20
> >>> opennlp.apache.org 9
> >>> pdfbox.apache.org 1
> >>> pig.apache.org 7
> >>> pivot.apache.org 1
> >>> poi.apache.org 1
> >>> portals.apache.org 35
> >>> river.apache.org 2
> >>> santuario.apache.org 1
> >>> shale.apache.org 55
> >>> shiro.apache.org 3
> >>> sling.apache.org 2
> >>> sqoop.apache.org 4
> >>> struts.apache.org 190
> >>> subversion.apache.org 3
> >>> synapse.apache.org 1
> >>> syncope.apache.org 2
> >>> tapestry.apache.org 6
> >>> tika.apache.org 9
> >>> tiles.apache.org 12
> >>> turbine.apache.org 100
> >>> tuscany.apache.org 4
> >>> uima.apache.org 12
> >>> velocity.apache.org 41
> >>> whirr.apache.org 2
> >>> wicket.apache.org 3
> >>> wink.apache.org 13
> >>> ws.apache.org 22
> >>> xalan.apache.org 1
> >>> xerces.apache.org 5
> >>> xml.apache.org 1
> >>> xmlbeans.apache.org 3
> >>> zookeeper.apache.org 18
> >>>
> >>>
> >>>
> >>> --
> >>> Sergio Fernández
> >>> Salzburg Research
> >>> +43 662 2288 318
> >>> Jakob-Haringer Strasse 5/II
> >>> A-5020 Salzburg (Austria)
> >>> http://www.salzburgresearch.at
> >
> >
>
> --
> Sergio Fernández
> Salzburg Research
> +43 662 2288 318
> Jakob-Haringer Strasse 5/II
> A-5020 Salzburg (Austria)
> http://www.salzburgresearch.at
Re: [SECURITY] Frame injection vulnerability in published Javadoc
Posted by Sergio Fernández <se...@salzburgresearch.at>.
Thanks Uwe for the hints.
We tried to force java7 from the pom, but the site plugins looks to
ignore the regular settings source code, at least there, because I can
see in the source code of generated javadoc:
Generated by javadoc (build 1.6.0_32) on Sun Jun 23 16:32:14 UTC 2013
AFAIK maven looks the javadoc binary from the JAVA_HOME; how could I
check with value is taking there? Because this could be the quickest
solution, meanwhile MJAVADOC-370 is solved.
Cheers,
On 23/06/13 18:57, Uwe Schindler wrote:
> The Maven issue is here: https://jira.codehaus.org/browse/MJAVADOC-370
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
>> -----Original Message-----
>> From: Uwe Schindler [mailto:uwe@thetaphi.de]
>> Sent: Sunday, June 23, 2013 6:55 PM
>> To: builds@apache.org
>> Subject: RE: [SECURITY] Frame injection vulnerability in published Javadoc
>>
>> Hi,
>>
>> once Lucene's bug is commited (see
>> https://issues.apache.org/jira/browse/LUCENE-5072), we have no problem
>> anymore. For Maven-builds there is already an issue open on the javadoc
>> plugin to implement fixing directly inside the javadoc plugin. I contributed a
>> patch there already.
>>
>> The big issue is: We can only fix Jenkins to create correct Javadocs on Java 7
>> build, but Java 6 and Java 5 builds have no recent JDK available that fixes the
>> build (except Apple JDK 6 - argh!). The only way is to fix the build in the
>> projects to post-process javadocs after generating them. The issue could be
>> solved for Maven projects by a plugin upgrade once it is released and for ANT
>> project using the snippet here: http://goo.gl/dq3LJ
>>
>> Uwe
>>
>> -----
>> Uwe Schindler
>> H.-H.-Meier-Allee 63, D-28213 Bremen
>> http://www.thetaphi.de
>> eMail: uwe@thetaphi.de
>>
>>
>>> -----Original Message-----
>>> From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
>>> Sent: Sunday, June 23, 2013 6:31 PM
>>> To: builds@apache.org
>>> Subject: Fwd: [SECURITY] Frame injection vulnerability in published
>>> Javadoc
>>>
>>> Hi,
>>>
>>> regarding the security issue forwarded, I'd like to ask how a project
>>> using
>>> buildbot+maven should proceed.
>>>
>>> I've just update marmotta staging site, but the generated javadoc
>>> there still contains the buggy code:
>>>
>>> http://marmotta.staging.apache.org/apidocs/index.html
>>>
>>> Thanks in advance for any clue.
>>>
>>> Cheers,
>>>
>>>
>>>
>>> -------- Original Message --------
>>> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
>>> Date: Thu, 20 Jun 2013 09:29:23 +0100
>>> From: Mark Thomas <ma...@apache.org>
>>> Reply-To: infrastructure@apache.org <in...@apache.org>
>>> To: committers@apache.org
>>> CC: root@apache.org
>>>
>>> Hi All,
>>>
>>> Oracle has announced [1], [2] a frame injection vulnerability in
>>> Javadoc generated by Java 5, Java 6 and Java 7 before update 22.
>>>
>>> The infrastructure team has completed a scan of our current project
>>> websites and identified over 6000 instances of vulnerable Javadoc
>>> distributed across most TLPs. The chances are the project(s) you
>>> contribute to is(are) affected. A list of projects and the number of
>>> affected Javadoc instances per project is provided at the end of this e-mail.
>>>
>>> Please take the necessary steps to fix any currently published Javadoc
>>> and to ensure that any future Javadoc published by your project does
>>> not contain the vulnerability. The announcement by Oracle includes a
>>> link to a tool that can be used to fix Javadoc without regeneration.
>>>
>>> The infrastructure team is investigating options for preventing the
>>> publication of vulnerable Javadoc.
>>>
>>> The issue is public and may be discussed freely on your project's dev list.
>>>
>>> Thanks,
>>>
>>> Mark (ASF Infra)
>>>
>>>
>>>
>>> [1]
>>> http://www.oracle.com/technetwork/topics/security/javacpujun2013-
>>> 1899847.html
>>> [2] http://www.kb.cert.org/vuls/id/225657
>>>
>>> Project Instances
>>> abdera.apache.org 1
>>> accumulo.apache.org 2
>>> activemq.apache.org 105
>>> any23.apache.org 13
>>> archiva.apache.org 4
>>> archive.apache.org 13
>>> aries.apache.org 7
>>> avro.apache.org 23
>>> axis.apache.org 5
>>> beehive.apache.org 16
>>> bval.apache.org 12
>>> camel.apache.org 786
>>> cayenne.apache.org 4
>>> chemistry.apache.org 6
>>> click.apache.org 3
>>> cocoon.apache.org 6
>>> commons.apache.org 34
>>> continuum.apache.org 9
>>> creadur.apache.org 19
>>> crunch.apache.org 4
>>> ctakes.apache.org 2
>>> curator.apache.org 4
>>> cxf.apache.org 6
>>> db.apache.org 39
>>> directory.apache.org 4
>>> empire-db.apache.org 1
>>> felix.apache.org 5
>>> flume.apache.org 5
>>> geronimo.apache.org 241
>>> giraph.apache.org 6
>>> gora.apache.org 3
>>> hadoop.apache.org 21
>>> hbase.apache.org 2
>>> hive.apache.org 4
>>> hivemind.apache.org 10
>>> incubator.apache.org 355
>>> jackrabbit.apache.org 9
>>> jakarta.apache.org 39
>>> james.apache.org 53
>>> jena.apache.org 5
>>> juddi.apache.org 3
>>> lenya.apache.org 46
>>> logging.apache.org 111
>>> lucene.apache.org 713
>>> manifoldcf.apache.org 112
>>> marmotta.apache.org 1
>>> maven.apache.org 1623
>>> maventest.apache.org 1178
>>> mina.apache.org 2
>>> mrunit.apache.org 3
>>> myfaces.apache.org 348
>>> nutch.apache.org 8
>>> oltu.apache.org 11
>>> oodt.apache.org 1
>>> ooo-site.apache.org 1
>>> oozie.apache.org 10
>>> openjpa.apache.org 20
>>> opennlp.apache.org 9
>>> pdfbox.apache.org 1
>>> pig.apache.org 7
>>> pivot.apache.org 1
>>> poi.apache.org 1
>>> portals.apache.org 35
>>> river.apache.org 2
>>> santuario.apache.org 1
>>> shale.apache.org 55
>>> shiro.apache.org 3
>>> sling.apache.org 2
>>> sqoop.apache.org 4
>>> struts.apache.org 190
>>> subversion.apache.org 3
>>> synapse.apache.org 1
>>> syncope.apache.org 2
>>> tapestry.apache.org 6
>>> tika.apache.org 9
>>> tiles.apache.org 12
>>> turbine.apache.org 100
>>> tuscany.apache.org 4
>>> uima.apache.org 12
>>> velocity.apache.org 41
>>> whirr.apache.org 2
>>> wicket.apache.org 3
>>> wink.apache.org 13
>>> ws.apache.org 22
>>> xalan.apache.org 1
>>> xerces.apache.org 5
>>> xml.apache.org 1
>>> xmlbeans.apache.org 3
>>> zookeeper.apache.org 18
>>>
>>>
>>>
>>> --
>>> Sergio Fernández
>>> Salzburg Research
>>> +43 662 2288 318
>>> Jakob-Haringer Strasse 5/II
>>> A-5020 Salzburg (Austria)
>>> http://www.salzburgresearch.at
>
>
--
Sergio Fernández
Salzburg Research
+43 662 2288 318
Jakob-Haringer Strasse 5/II
A-5020 Salzburg (Austria)
http://www.salzburgresearch.at
RE: [SECURITY] Frame injection vulnerability in published Javadoc
Posted by Uwe Schindler <uw...@thetaphi.de>.
The Maven issue is here: https://jira.codehaus.org/browse/MJAVADOC-370
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: Uwe Schindler [mailto:uwe@thetaphi.de]
> Sent: Sunday, June 23, 2013 6:55 PM
> To: builds@apache.org
> Subject: RE: [SECURITY] Frame injection vulnerability in published Javadoc
>
> Hi,
>
> once Lucene's bug is commited (see
> https://issues.apache.org/jira/browse/LUCENE-5072), we have no problem
> anymore. For Maven-builds there is already an issue open on the javadoc
> plugin to implement fixing directly inside the javadoc plugin. I contributed a
> patch there already.
>
> The big issue is: We can only fix Jenkins to create correct Javadocs on Java 7
> build, but Java 6 and Java 5 builds have no recent JDK available that fixes the
> build (except Apple JDK 6 - argh!). The only way is to fix the build in the
> projects to post-process javadocs after generating them. The issue could be
> solved for Maven projects by a plugin upgrade once it is released and for ANT
> project using the snippet here: http://goo.gl/dq3LJ
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
> > -----Original Message-----
> > From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
> > Sent: Sunday, June 23, 2013 6:31 PM
> > To: builds@apache.org
> > Subject: Fwd: [SECURITY] Frame injection vulnerability in published
> > Javadoc
> >
> > Hi,
> >
> > regarding the security issue forwarded, I'd like to ask how a project
> > using
> > buildbot+maven should proceed.
> >
> > I've just update marmotta staging site, but the generated javadoc
> > there still contains the buggy code:
> >
> > http://marmotta.staging.apache.org/apidocs/index.html
> >
> > Thanks in advance for any clue.
> >
> > Cheers,
> >
> >
> >
> > -------- Original Message --------
> > Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> > Date: Thu, 20 Jun 2013 09:29:23 +0100
> > From: Mark Thomas <ma...@apache.org>
> > Reply-To: infrastructure@apache.org <in...@apache.org>
> > To: committers@apache.org
> > CC: root@apache.org
> >
> > Hi All,
> >
> > Oracle has announced [1], [2] a frame injection vulnerability in
> > Javadoc generated by Java 5, Java 6 and Java 7 before update 22.
> >
> > The infrastructure team has completed a scan of our current project
> > websites and identified over 6000 instances of vulnerable Javadoc
> > distributed across most TLPs. The chances are the project(s) you
> > contribute to is(are) affected. A list of projects and the number of
> > affected Javadoc instances per project is provided at the end of this e-mail.
> >
> > Please take the necessary steps to fix any currently published Javadoc
> > and to ensure that any future Javadoc published by your project does
> > not contain the vulnerability. The announcement by Oracle includes a
> > link to a tool that can be used to fix Javadoc without regeneration.
> >
> > The infrastructure team is investigating options for preventing the
> > publication of vulnerable Javadoc.
> >
> > The issue is public and may be discussed freely on your project's dev list.
> >
> > Thanks,
> >
> > Mark (ASF Infra)
> >
> >
> >
> > [1]
> > http://www.oracle.com/technetwork/topics/security/javacpujun2013-
> > 1899847.html
> > [2] http://www.kb.cert.org/vuls/id/225657
> >
> > Project Instances
> > abdera.apache.org 1
> > accumulo.apache.org 2
> > activemq.apache.org 105
> > any23.apache.org 13
> > archiva.apache.org 4
> > archive.apache.org 13
> > aries.apache.org 7
> > avro.apache.org 23
> > axis.apache.org 5
> > beehive.apache.org 16
> > bval.apache.org 12
> > camel.apache.org 786
> > cayenne.apache.org 4
> > chemistry.apache.org 6
> > click.apache.org 3
> > cocoon.apache.org 6
> > commons.apache.org 34
> > continuum.apache.org 9
> > creadur.apache.org 19
> > crunch.apache.org 4
> > ctakes.apache.org 2
> > curator.apache.org 4
> > cxf.apache.org 6
> > db.apache.org 39
> > directory.apache.org 4
> > empire-db.apache.org 1
> > felix.apache.org 5
> > flume.apache.org 5
> > geronimo.apache.org 241
> > giraph.apache.org 6
> > gora.apache.org 3
> > hadoop.apache.org 21
> > hbase.apache.org 2
> > hive.apache.org 4
> > hivemind.apache.org 10
> > incubator.apache.org 355
> > jackrabbit.apache.org 9
> > jakarta.apache.org 39
> > james.apache.org 53
> > jena.apache.org 5
> > juddi.apache.org 3
> > lenya.apache.org 46
> > logging.apache.org 111
> > lucene.apache.org 713
> > manifoldcf.apache.org 112
> > marmotta.apache.org 1
> > maven.apache.org 1623
> > maventest.apache.org 1178
> > mina.apache.org 2
> > mrunit.apache.org 3
> > myfaces.apache.org 348
> > nutch.apache.org 8
> > oltu.apache.org 11
> > oodt.apache.org 1
> > ooo-site.apache.org 1
> > oozie.apache.org 10
> > openjpa.apache.org 20
> > opennlp.apache.org 9
> > pdfbox.apache.org 1
> > pig.apache.org 7
> > pivot.apache.org 1
> > poi.apache.org 1
> > portals.apache.org 35
> > river.apache.org 2
> > santuario.apache.org 1
> > shale.apache.org 55
> > shiro.apache.org 3
> > sling.apache.org 2
> > sqoop.apache.org 4
> > struts.apache.org 190
> > subversion.apache.org 3
> > synapse.apache.org 1
> > syncope.apache.org 2
> > tapestry.apache.org 6
> > tika.apache.org 9
> > tiles.apache.org 12
> > turbine.apache.org 100
> > tuscany.apache.org 4
> > uima.apache.org 12
> > velocity.apache.org 41
> > whirr.apache.org 2
> > wicket.apache.org 3
> > wink.apache.org 13
> > ws.apache.org 22
> > xalan.apache.org 1
> > xerces.apache.org 5
> > xml.apache.org 1
> > xmlbeans.apache.org 3
> > zookeeper.apache.org 18
> >
> >
> >
> > --
> > Sergio Fernández
> > Salzburg Research
> > +43 662 2288 318
> > Jakob-Haringer Strasse 5/II
> > A-5020 Salzburg (Austria)
> > http://www.salzburgresearch.at
RE: [SECURITY] Frame injection vulnerability in published Javadoc
Posted by Uwe Schindler <uw...@thetaphi.de>.
Hi,
once Lucene's bug is commited (see https://issues.apache.org/jira/browse/LUCENE-5072), we have no problem anymore. For Maven-builds there is already an issue open on the javadoc plugin to implement fixing directly inside the javadoc plugin. I contributed a patch there already.
The big issue is: We can only fix Jenkins to create correct Javadocs on Java 7 build, but Java 6 and Java 5 builds have no recent JDK available that fixes the build (except Apple JDK 6 - argh!). The only way is to fix the build in the projects to post-process javadocs after generating them. The issue could be solved for Maven projects by a plugin upgrade once it is released and for ANT project using the snippet here: http://goo.gl/dq3LJ
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: Sergio Fernández [mailto:sergio.fernandez@salzburgresearch.at]
> Sent: Sunday, June 23, 2013 6:31 PM
> To: builds@apache.org
> Subject: Fwd: [SECURITY] Frame injection vulnerability in published Javadoc
>
> Hi,
>
> regarding the security issue forwarded, I'd like to ask how a project using
> buildbot+maven should proceed.
>
> I've just update marmotta staging site, but the generated javadoc there still
> contains the buggy code:
>
> http://marmotta.staging.apache.org/apidocs/index.html
>
> Thanks in advance for any clue.
>
> Cheers,
>
>
>
> -------- Original Message --------
> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> Date: Thu, 20 Jun 2013 09:29:23 +0100
> From: Mark Thomas <ma...@apache.org>
> Reply-To: infrastructure@apache.org <in...@apache.org>
> To: committers@apache.org
> CC: root@apache.org
>
> Hi All,
>
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
>
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc distributed
> across most TLPs. The chances are the project(s) you contribute to is(are)
> affected. A list of projects and the number of affected Javadoc instances per
> project is provided at the end of this e-mail.
>
> Please take the necessary steps to fix any currently published Javadoc and to
> ensure that any future Javadoc published by your project does not contain
> the vulnerability. The announcement by Oracle includes a link to a tool that
> can be used to fix Javadoc without regeneration.
>
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
>
> The issue is public and may be discussed freely on your project's dev list.
>
> Thanks,
>
> Mark (ASF Infra)
>
>
>
> [1]
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-
> 1899847.html
> [2] http://www.kb.cert.org/vuls/id/225657
>
> Project Instances
> abdera.apache.org 1
> accumulo.apache.org 2
> activemq.apache.org 105
> any23.apache.org 13
> archiva.apache.org 4
> archive.apache.org 13
> aries.apache.org 7
> avro.apache.org 23
> axis.apache.org 5
> beehive.apache.org 16
> bval.apache.org 12
> camel.apache.org 786
> cayenne.apache.org 4
> chemistry.apache.org 6
> click.apache.org 3
> cocoon.apache.org 6
> commons.apache.org 34
> continuum.apache.org 9
> creadur.apache.org 19
> crunch.apache.org 4
> ctakes.apache.org 2
> curator.apache.org 4
> cxf.apache.org 6
> db.apache.org 39
> directory.apache.org 4
> empire-db.apache.org 1
> felix.apache.org 5
> flume.apache.org 5
> geronimo.apache.org 241
> giraph.apache.org 6
> gora.apache.org 3
> hadoop.apache.org 21
> hbase.apache.org 2
> hive.apache.org 4
> hivemind.apache.org 10
> incubator.apache.org 355
> jackrabbit.apache.org 9
> jakarta.apache.org 39
> james.apache.org 53
> jena.apache.org 5
> juddi.apache.org 3
> lenya.apache.org 46
> logging.apache.org 111
> lucene.apache.org 713
> manifoldcf.apache.org 112
> marmotta.apache.org 1
> maven.apache.org 1623
> maventest.apache.org 1178
> mina.apache.org 2
> mrunit.apache.org 3
> myfaces.apache.org 348
> nutch.apache.org 8
> oltu.apache.org 11
> oodt.apache.org 1
> ooo-site.apache.org 1
> oozie.apache.org 10
> openjpa.apache.org 20
> opennlp.apache.org 9
> pdfbox.apache.org 1
> pig.apache.org 7
> pivot.apache.org 1
> poi.apache.org 1
> portals.apache.org 35
> river.apache.org 2
> santuario.apache.org 1
> shale.apache.org 55
> shiro.apache.org 3
> sling.apache.org 2
> sqoop.apache.org 4
> struts.apache.org 190
> subversion.apache.org 3
> synapse.apache.org 1
> syncope.apache.org 2
> tapestry.apache.org 6
> tika.apache.org 9
> tiles.apache.org 12
> turbine.apache.org 100
> tuscany.apache.org 4
> uima.apache.org 12
> velocity.apache.org 41
> whirr.apache.org 2
> wicket.apache.org 3
> wink.apache.org 13
> ws.apache.org 22
> xalan.apache.org 1
> xerces.apache.org 5
> xml.apache.org 1
> xmlbeans.apache.org 3
> zookeeper.apache.org 18
>
>
>
> --
> Sergio Fernández
> Salzburg Research
> +43 662 2288 318
> Jakob-Haringer Strasse 5/II
> A-5020 Salzburg (Austria)
> http://www.salzburgresearch.at