On Jun 24, 2013, at 8:24 PM, Ariel Rabkin <[email protected]> wrote:
> I don't understand how serious a problem this is. Do we need to do > anything about this? This comes as a mandate from security so we must, if we are affected by it. > Anybody want to take the lead and re-compile our javadoc? /me looks at his shoes and slowly shuffles backward. Think of this as an opportunity to do another release? :) Regards, Alan > > --Ari > > ---------- Forwarded message ---------- > From: Mark Thomas <[email protected]> > Date: Thu, Jun 20, 2013 at 4:29 AM > Subject: [SECURITY] Frame injection vulnerability in published Javadoc > To: [email protected] > Cc: [email protected] > > > Hi All, > > Oracle has announced [1], [2] a frame injection vulnerability in Javadoc > generated by Java 5, Java 6 and Java 7 before update 22. > > The infrastructure team has completed a scan of our current project > websites and identified over 6000 instances of vulnerable Javadoc > distributed across most TLPs. The chances are the project(s) you > contribute to is(are) affected. A list of projects and the number of > affected Javadoc instances per project is provided at the end of this > e-mail. > > Please take the necessary steps to fix any currently published Javadoc > and to ensure that any future Javadoc published by your project does not > contain the vulnerability. The announcement by Oracle includes a link to > a tool that can be used to fix Javadoc without regeneration. > > The infrastructure team is investigating options for preventing the > publication of vulnerable Javadoc. > > The issue is public and may be discussed freely on your project's dev list. > > Thanks, > > Mark (ASF Infra) > > > > [1] > http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html > [2] http://www.kb.cert.org/vuls/id/225657 > > > > > -- > Ari Rabkin [email protected] > Princeton Computer Science Department
