You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@chukwa.apache.org by "Alan D. Cabrera" <li...@toolazydogs.com> on 2013/07/04 23:45:06 UTC

Re: [SECURITY] Frame injection vulnerability in published Javadoc

Thanks for taking care of this Eric!


Regards,
Alan

On Jun 30, 2013, at 1:29 PM, Eric Yang <er...@gmail.com> wrote:

> CHUKWA-689 is filed to track the progress of the doc generation.
> 
> 
> On Sun, Jun 30, 2013 at 10:11 AM, Eric Yang <er...@gmail.com> wrote:
> 
>> First, we need to get pub sub working for our website publishing.  I filed
>> a infrastructure ticket for this:
>> 
>> https://issues.apache.org/jira/browse/INFRA-6480
>> 
>> While this is happening in parallel, we can regenerate:
>> 
>> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.1.2/api
>> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.3.0/api
>> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.4.0/api
>> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.5.0/api
>> 
>> With newer Java.
>> 
>> Last, we also need to update the latest distribution mechanism in pom.xml
>> to update svn source tree instead.
>> 
>> I will take care of doc generation later today, if I find the time.
>> 
>> regards,
>> Eric
>> 
>> 
>> On Sun, Jun 30, 2013 at 8:05 AM, Alan Cabrera <li...@toolazydogs.com>wrote:
>> 
>>> 
>>> On Jun 24, 2013, at 8:24 PM, Ariel Rabkin <as...@gmail.com> wrote:
>>> 
>>>> I don't understand how serious a problem this is. Do we need to do
>>>> anything about this?
>>> 
>>> This comes as a mandate from security so we must, if we are affected by
>>> it.
>>> 
>>>> Anybody want to take the lead and re-compile our javadoc?
>>> 
>>> /me looks at his shoes and slowly shuffles backward.
>>> 
>>> Think of this as an opportunity to do another release?  :)
>>> 
>>> 
>>> Regards,
>>> Alan
>>> 
>>>> 
>>>> --Ari
>>>> 
>>>> ---------- Forwarded message ----------
>>>> From: Mark Thomas <ma...@apache.org>
>>>> Date: Thu, Jun 20, 2013 at 4:29 AM
>>>> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
>>>> To: committers@apache.org
>>>> Cc: root@apache.org
>>>> 
>>>> 
>>>> Hi All,
>>>> 
>>>> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
>>>> generated by Java 5, Java 6 and Java 7 before update 22.
>>>> 
>>>> The infrastructure team has completed a scan of our current project
>>>> websites and identified over 6000 instances of vulnerable Javadoc
>>>> distributed across most TLPs. The chances are the project(s) you
>>>> contribute to is(are) affected. A list of projects and the number of
>>>> affected Javadoc instances per project is provided at the end of this
>>>> e-mail.
>>>> 
>>>> Please take the necessary steps to fix any currently published Javadoc
>>>> and to ensure that any future Javadoc published by your project does not
>>>> contain the vulnerability. The announcement by Oracle includes a link to
>>>> a tool that can be used to fix Javadoc without regeneration.
>>>> 
>>>> The infrastructure team is investigating options for preventing the
>>>> publication of vulnerable Javadoc.
>>>> 
>>>> The issue is public and may be discussed freely on your project's dev
>>> list.
>>>> 
>>>> Thanks,
>>>> 
>>>> Mark (ASF Infra)
>>>> 
>>>> 
>>>> 
>>>> [1]
>>>> 
>>> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
>>>> [2] http://www.kb.cert.org/vuls/id/225657
>>>> 
>>>> 
>>>> 
>>>> 
>>>> --
>>>> Ari Rabkin asrabkin@gmail.com
>>>> Princeton Computer Science Department
>>> 
>>> 
>>