[MARMOTTA-263] Fix frame injection bug in javadocs generated with Java 6 (and Java 7 prior u25) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: Website
Labels:
- javadoc
- oracle
- security

Description

The Apache Infra / Security team posted to all committers:

Hi All,
Oracle has announced [1], [2] a frame injection vulnerability in Javadoc generated by Java 5, Java 6 and Java 7 before update 22.
[...]
Please take the necessary steps to fix any currently published Javadoc and to ensure that any future Javadoc published by your project does not contain the vulnerability. The announcement by Oracle includes a link to a tool that can be used to fix Javadoc without regeneration.
The infrastructure team is investigating options for preventing the publication of vulnerable Javadoc.
The issue is public and may be discussed freely on your project's dev list.
Thanks,
Mark (ASF Infra)

For the moment, due a bug with multiple reports (see http://jira.codehaus.org/browse/MSHARED-271 for further details), our site only is affected by one instance.

The buildbot+maven environment still uses Java6, so all the workaround in the maven plugin (https://jira.codehaus.org/browse/MJAVADOC-370) wouldn't be enough...

Attachments

Issue Links

relates to

LEGAL-171 OK to distribute code containing the JavadocFixTool

Closed

Activity

People

Assignee:: Sergio Fernández

Reporter:: Sergio Fernández

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Due:: 26/Jun/13

Created:: 24/Jun/13 14:27

Updated:: 01/Jul/13 10:04

Resolved:: 01/Jul/13 10:04

Time Tracking

Estimated:

Remaining:

Logged:

Not Specified