You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@chukwa.apache.org by "Alan D. Cabrera" <li...@toolazydogs.com> on 2013/07/04 23:45:06 UTC
Re: [SECURITY] Frame injection vulnerability in published Javadoc
Thanks for taking care of this Eric!
Regards,
Alan
On Jun 30, 2013, at 1:29 PM, Eric Yang <er...@gmail.com> wrote:
> CHUKWA-689 is filed to track the progress of the doc generation.
>
>
> On Sun, Jun 30, 2013 at 10:11 AM, Eric Yang <er...@gmail.com> wrote:
>
>> First, we need to get pub sub working for our website publishing. I filed
>> a infrastructure ticket for this:
>>
>> https://issues.apache.org/jira/browse/INFRA-6480
>>
>> While this is happening in parallel, we can regenerate:
>>
>> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.1.2/api
>> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.3.0/api
>> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.4.0/api
>> https://svn.apache.org/incubator/chukwa/site/publish/docs/r0.5.0/api
>>
>> With newer Java.
>>
>> Last, we also need to update the latest distribution mechanism in pom.xml
>> to update svn source tree instead.
>>
>> I will take care of doc generation later today, if I find the time.
>>
>> regards,
>> Eric
>>
>>
>> On Sun, Jun 30, 2013 at 8:05 AM, Alan Cabrera <li...@toolazydogs.com>wrote:
>>
>>>
>>> On Jun 24, 2013, at 8:24 PM, Ariel Rabkin <as...@gmail.com> wrote:
>>>
>>>> I don't understand how serious a problem this is. Do we need to do
>>>> anything about this?
>>>
>>> This comes as a mandate from security so we must, if we are affected by
>>> it.
>>>
>>>> Anybody want to take the lead and re-compile our javadoc?
>>>
>>> /me looks at his shoes and slowly shuffles backward.
>>>
>>> Think of this as an opportunity to do another release? :)
>>>
>>>
>>> Regards,
>>> Alan
>>>
>>>>
>>>> --Ari
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Mark Thomas <ma...@apache.org>
>>>> Date: Thu, Jun 20, 2013 at 4:29 AM
>>>> Subject: [SECURITY] Frame injection vulnerability in published Javadoc
>>>> To: committers@apache.org
>>>> Cc: root@apache.org
>>>>
>>>>
>>>> Hi All,
>>>>
>>>> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
>>>> generated by Java 5, Java 6 and Java 7 before update 22.
>>>>
>>>> The infrastructure team has completed a scan of our current project
>>>> websites and identified over 6000 instances of vulnerable Javadoc
>>>> distributed across most TLPs. The chances are the project(s) you
>>>> contribute to is(are) affected. A list of projects and the number of
>>>> affected Javadoc instances per project is provided at the end of this
>>>> e-mail.
>>>>
>>>> Please take the necessary steps to fix any currently published Javadoc
>>>> and to ensure that any future Javadoc published by your project does not
>>>> contain the vulnerability. The announcement by Oracle includes a link to
>>>> a tool that can be used to fix Javadoc without regeneration.
>>>>
>>>> The infrastructure team is investigating options for preventing the
>>>> publication of vulnerable Javadoc.
>>>>
>>>> The issue is public and may be discussed freely on your project's dev
>>> list.
>>>>
>>>> Thanks,
>>>>
>>>> Mark (ASF Infra)
>>>>
>>>>
>>>>
>>>> [1]
>>>>
>>> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
>>>> [2] http://www.kb.cert.org/vuls/id/225657
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Ari Rabkin asrabkin@gmail.com
>>>> Princeton Computer Science Department
>>>
>>>
>>