Hi, once Lucene's bug is commited (see https://issues.apache.org/jira/browse/LUCENE-5072), we have no problem anymore. For Maven-builds there is already an issue open on the javadoc plugin to implement fixing directly inside the javadoc plugin. I contributed a patch there already.
The big issue is: We can only fix Jenkins to create correct Javadocs on Java 7 build, but Java 6 and Java 5 builds have no recent JDK available that fixes the build (except Apple JDK 6 - argh!). The only way is to fix the build in the projects to post-process javadocs after generating them. The issue could be solved for Maven projects by a plugin upgrade once it is released and for ANT project using the snippet here: http://goo.gl/dq3LJ Uwe ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de > -----Original Message----- > From: Sergio Fernández [mailto:sergio.fernan...@salzburgresearch.at] > Sent: Sunday, June 23, 2013 6:31 PM > To: builds@apache.org > Subject: Fwd: [SECURITY] Frame injection vulnerability in published Javadoc > > Hi, > > regarding the security issue forwarded, I'd like to ask how a project using > buildbot+maven should proceed. > > I've just update marmotta staging site, but the generated javadoc there still > contains the buggy code: > > http://marmotta.staging.apache.org/apidocs/index.html > > Thanks in advance for any clue. > > Cheers, > > > > -------- Original Message -------- > Subject: [SECURITY] Frame injection vulnerability in published Javadoc > Date: Thu, 20 Jun 2013 09:29:23 +0100 > From: Mark Thomas <ma...@apache.org> > Reply-To: infrastruct...@apache.org <infrastruct...@apache.org> > To: committ...@apache.org > CC: r...@apache.org > > Hi All, > > Oracle has announced [1], [2] a frame injection vulnerability in Javadoc > generated by Java 5, Java 6 and Java 7 before update 22. > > The infrastructure team has completed a scan of our current project > websites and identified over 6000 instances of vulnerable Javadoc distributed > across most TLPs. The chances are the project(s) you contribute to is(are) > affected. A list of projects and the number of affected Javadoc instances per > project is provided at the end of this e-mail. > > Please take the necessary steps to fix any currently published Javadoc and to > ensure that any future Javadoc published by your project does not contain > the vulnerability. The announcement by Oracle includes a link to a tool that > can be used to fix Javadoc without regeneration. > > The infrastructure team is investigating options for preventing the > publication of vulnerable Javadoc. > > The issue is public and may be discussed freely on your project's dev list. > > Thanks, > > Mark (ASF Infra) > > > > [1] > http://www.oracle.com/technetwork/topics/security/javacpujun2013- > 1899847.html > [2] http://www.kb.cert.org/vuls/id/225657 > > Project Instances > abdera.apache.org 1 > accumulo.apache.org 2 > activemq.apache.org 105 > any23.apache.org 13 > archiva.apache.org 4 > archive.apache.org 13 > aries.apache.org 7 > avro.apache.org 23 > axis.apache.org 5 > beehive.apache.org 16 > bval.apache.org 12 > camel.apache.org 786 > cayenne.apache.org 4 > chemistry.apache.org 6 > click.apache.org 3 > cocoon.apache.org 6 > commons.apache.org 34 > continuum.apache.org 9 > creadur.apache.org 19 > crunch.apache.org 4 > ctakes.apache.org 2 > curator.apache.org 4 > cxf.apache.org 6 > db.apache.org 39 > directory.apache.org 4 > empire-db.apache.org 1 > felix.apache.org 5 > flume.apache.org 5 > geronimo.apache.org 241 > giraph.apache.org 6 > gora.apache.org 3 > hadoop.apache.org 21 > hbase.apache.org 2 > hive.apache.org 4 > hivemind.apache.org 10 > incubator.apache.org 355 > jackrabbit.apache.org 9 > jakarta.apache.org 39 > james.apache.org 53 > jena.apache.org 5 > juddi.apache.org 3 > lenya.apache.org 46 > logging.apache.org 111 > lucene.apache.org 713 > manifoldcf.apache.org 112 > marmotta.apache.org 1 > maven.apache.org 1623 > maventest.apache.org 1178 > mina.apache.org 2 > mrunit.apache.org 3 > myfaces.apache.org 348 > nutch.apache.org 8 > oltu.apache.org 11 > oodt.apache.org 1 > ooo-site.apache.org 1 > oozie.apache.org 10 > openjpa.apache.org 20 > opennlp.apache.org 9 > pdfbox.apache.org 1 > pig.apache.org 7 > pivot.apache.org 1 > poi.apache.org 1 > portals.apache.org 35 > river.apache.org 2 > santuario.apache.org 1 > shale.apache.org 55 > shiro.apache.org 3 > sling.apache.org 2 > sqoop.apache.org 4 > struts.apache.org 190 > subversion.apache.org 3 > synapse.apache.org 1 > syncope.apache.org 2 > tapestry.apache.org 6 > tika.apache.org 9 > tiles.apache.org 12 > turbine.apache.org 100 > tuscany.apache.org 4 > uima.apache.org 12 > velocity.apache.org 41 > whirr.apache.org 2 > wicket.apache.org 3 > wink.apache.org 13 > ws.apache.org 22 > xalan.apache.org 1 > xerces.apache.org 5 > xml.apache.org 1 > xmlbeans.apache.org 3 > zookeeper.apache.org 18 > > > > -- > Sergio Fernández > Salzburg Research > +43 662 2288 318 > Jakob-Haringer Strasse 5/II > A-5020 Salzburg (Austria) > http://www.salzburgresearch.at
