Re: [SECURITY] Frame injection vulnerability in published Javadoc

Mon, 01 Jul 2013 03:24:28 -0700 

confirmed that maven-javadoc-plugin:2.9.1 solves the issue
see MARMOTTA-263 for further details

On 24/06/13 12:12, Uwe Schindler wrote:

Hi,

A possible solution for Maven until MJAVADOC-370 is part of an official release 
may be to use my ANT task using the ANTrunner plugin in Maven:
http://maven.apache.org/plugins/maven-antrun-plugin/
Just call my Lucene ANT macro from there, parametrizing the dir= and encoding= 
from maven properties.


Generated by javadoc (build 1.6.0_32) on Sun Jun 23 16:32:14 UTC 2013


This comes from JAVA_HOME, so you could grep on that an fail the build...

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: u...@thetaphi.de



-----Original Message-----
From: Sergio Fernández [mailto:sergio.fernan...@salzburgresearch.at]
Sent: Monday, June 24, 2013 11:53 AM
To: builds@apache.org
Cc: Uwe Schindler
Subject: Re: [SECURITY] Frame injection vulnerability in published Javadoc

Thanks Uwe for the hints.

We tried to force java7 from the pom, but the site plugins looks to ignore the
regular settings source code, at least there, because I can see in the source
code of generated javadoc:

Generated by javadoc (build 1.6.0_32) on Sun Jun 23 16:32:14 UTC 2013

AFAIK maven looks the javadoc binary from the JAVA_HOME; how could I
check with value is taking there? Because this could be the quickest solution,
meanwhile MJAVADOC-370 is solved.

Cheers,



On 23/06/13 18:57, Uwe Schindler wrote:

The Maven issue is here: https://jira.codehaus.org/browse/MJAVADOC-

370


-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: u...@thetaphi.de



-----Original Message-----
From: Uwe Schindler [mailto:u...@thetaphi.de]
Sent: Sunday, June 23, 2013 6:55 PM
To: builds@apache.org
Subject: RE: [SECURITY] Frame injection vulnerability in published
Javadoc

Hi,

once Lucene's bug is commited (see
https://issues.apache.org/jira/browse/LUCENE-5072), we have no
problem anymore. For Maven-builds there is already an issue open on
the javadoc plugin to implement fixing directly inside the javadoc
plugin. I contributed a patch there already.

The big issue is: We can only fix Jenkins to create correct Javadocs
on Java 7 build, but Java 6 and Java 5 builds have no recent JDK
available that fixes the build (except Apple JDK 6 - argh!). The only
way is to fix the build in the projects to post-process javadocs
after generating them. The issue could be solved for Maven projects
by a plugin upgrade once it is released and for ANT project using the
snippet here: http://goo.gl/dq3LJ

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: u...@thetaphi.de



-----Original Message-----
From: Sergio Fernández [mailto:sergio.fernan...@salzburgresearch.at]
Sent: Sunday, June 23, 2013 6:31 PM
To: builds@apache.org
Subject: Fwd: [SECURITY] Frame injection vulnerability in published
Javadoc

Hi,

regarding the security issue forwarded, I'd like to ask how a
project using
buildbot+maven should proceed.

I've just update marmotta staging site, but the generated javadoc
there still contains the buggy code:

http://marmotta.staging.apache.org/apidocs/index.html

Thanks in advance for any clue.

Cheers,



-------- Original Message --------
Subject: [SECURITY] Frame injection vulnerability in published
Javadoc
Date: Thu, 20 Jun 2013 09:29:23 +0100
From: Mark Thomas <ma...@apache.org>
Reply-To: infrastruct...@apache.org <infrastruct...@apache.org>
To: committ...@apache.org
CC: r...@apache.org

Hi All,

Oracle has announced [1], [2] a frame injection vulnerability in
Javadoc generated by Java 5, Java 6 and Java 7 before update 22.

The infrastructure team has completed a scan of our current project
websites and identified over 6000 instances of vulnerable Javadoc
distributed across most TLPs. The chances are the project(s) you
contribute to is(are) affected. A list of projects and the number of
affected Javadoc instances per project is provided at the end of this e-

mail.


Please take the necessary steps to fix any currently published
Javadoc and to ensure that any future Javadoc published by your
project does not contain the vulnerability. The announcement by
Oracle includes a link to a tool that can be used to fix Javadoc without

regeneration.


The infrastructure team is investigating options for preventing the
publication of vulnerable Javadoc.

The issue is public and may be discussed freely on your project's dev list.

Thanks,

Mark (ASF Infra)



[1]
http://www.oracle.com/technetwork/topics/security/javacpujun2013-
1899847.html
[2] http://www.kb.cert.org/vuls/id/225657

Project                 Instances
abdera.apache.org       1
accumulo.apache.org     2
activemq.apache.org     105
any23.apache.org        13
archiva.apache.org      4
archive.apache.org      13
aries.apache.org        7
avro.apache.org         23
axis.apache.org         5
beehive.apache.org      16
bval.apache.org         12
camel.apache.org        786
cayenne.apache.org      4
chemistry.apache.org    6
click.apache.org        3
cocoon.apache.org       6
commons.apache.org      34
continuum.apache.org    9
creadur.apache.org      19
crunch.apache.org       4
ctakes.apache.org       2
curator.apache.org      4
cxf.apache.org          6
db.apache.org           39
directory.apache.org    4
empire-db.apache.org    1
felix.apache.org        5
flume.apache.org        5
geronimo.apache.org     241
giraph.apache.org       6
gora.apache.org         3
hadoop.apache.org       21
hbase.apache.org        2
hive.apache.org         4
hivemind.apache.org     10
incubator.apache.org    355
jackrabbit.apache.org   9
jakarta.apache.org      39
james.apache.org        53
jena.apache.org         5
juddi.apache.org        3
lenya.apache.org        46
logging.apache.org      111
lucene.apache.org       713
manifoldcf.apache.org   112
marmotta.apache.org     1
maven.apache.org        1623
maventest.apache.org    1178
mina.apache.org         2
mrunit.apache.org       3
myfaces.apache.org      348
nutch.apache.org        8
oltu.apache.org         11
oodt.apache.org         1
ooo-site.apache.org     1
oozie.apache.org        10
openjpa.apache.org      20
opennlp.apache.org      9
pdfbox.apache.org       1
pig.apache.org          7
pivot.apache.org        1
poi.apache.org          1
portals.apache.org      35
river.apache.org        2
santuario.apache.org    1
shale.apache.org        55
shiro.apache.org        3
sling.apache.org        2
sqoop.apache.org        4
struts.apache.org       190
subversion.apache.org   3
synapse.apache.org      1
syncope.apache.org      2
tapestry.apache.org     6
tika.apache.org         9
tiles.apache.org        12
turbine.apache.org      100
tuscany.apache.org      4
uima.apache.org         12
velocity.apache.org     41
whirr.apache.org        2
wicket.apache.org       3
wink.apache.org         13
ws.apache.org           22
xalan.apache.org        1
xerces.apache.org       5
xml.apache.org          1
xmlbeans.apache.org     3
zookeeper.apache.org    18



--
Sergio Fernández
Salzburg Research
+43 662 2288 318
Jakob-Haringer Strasse 5/II
A-5020 Salzburg (Austria)
http://www.salzburgresearch.at





--
Sergio Fernández
Salzburg Research
+43 662 2288 318
Jakob-Haringer Strasse 5/II
A-5020 Salzburg (Austria)
http://www.salzburgresearch.at




--
Sergio Fernández
Salzburg Research
+43 662 2288 318
Jakob-Haringer Strasse 5/II
A-5020 Salzburg (Austria)
http://www.salzburgresearch.at

Reply via email to