OK. I updated all javadocs on lucene.apache.org. My first task as new chairman. :-)
We don't need to patch our release packages, because the frame injection leak just affects public available javadocs on web servers. If somebody unzips a maven or lucene artifact and publishes the javadocs on a webserver - it's not our fault. Uwe ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: [email protected] > -----Original Message----- > From: Uwe Schindler [mailto:[email protected]] > Sent: Thursday, June 20, 2013 2:20 PM > To: [email protected] > Subject: RE: [SECURITY] Frame injection vulnerability in published Javadoc > > I found them, they were moved by gsingers: > https://svn.apache.org/repos/asf/lucene/old_versioned_docs > I will patch them and commit them, too. > > Uwe > > ----- > Uwe Schindler > H.-H.-Meier-Allee 63, D-28213 Bremen > http://www.thetaphi.de > eMail: [email protected] > > > > -----Original Message----- > > From: Uwe Schindler [mailto:[email protected]] > > Sent: Thursday, June 20, 2013 1:15 PM > > To: [email protected] > > Subject: RE: [SECURITY] Frame injection vulnerability in published > > Javadoc > > > > Hi, > > > > I updated all Javadocs that were in the production tree of the > > svnpubsub website. > > > > I did not find the place in SVN where the old_versioned_docs are located! > > Where can I access them? Are they visible from people.apache.org? > > > > If yes I would run the patch tool from there: > > java -jar JavadocUpdaterTool.jar -R <path> > > > > Uwe > > > > ----- > > Uwe Schindler > > H.-H.-Meier-Allee 63, D-28213 Bremen > > http://www.thetaphi.de > > eMail: [email protected] > > > > > > > -----Original Message----- > > > From: Uwe Schindler [mailto:[email protected]] > > > Sent: Thursday, June 20, 2013 12:00 PM > > > To: [email protected] > > > Subject: Fwd: [SECURITY] Frame injection vulnerability in published > > > Javadoc > > > > > > Hi all, > > > > > > I will later svn checkout all Javadocs on the Lucene/Solr website > > > and run the patch tool on them. I will not regenerate all web pages, > > > just patch the javadocs. > > > It could be large commits, but don't care. > > > > > > Uwe > > > > > > ----- > > > Uwe Schindler > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de > > > eMail: [email protected] > > > > > > > > > > -----Original Message----- > > > > From: Mark Thomas [mailto:[email protected]] > > > > Sent: Thursday, June 20, 2013 10:29 AM > > > > To: [email protected] > > > > Cc: [email protected] > > > > Subject: [SECURITY] Frame injection vulnerability in published > > > > Javadoc > > > > > > > > Hi All, > > > > > > > > Oracle has announced [1], [2] a frame injection vulnerability in > > > > Javadoc generated by Java 5, Java 6 and Java 7 before update 22. > > > > > > > > The infrastructure team has completed a scan of our current project > > > > websites and identified over 6000 instances of vulnerable Javadoc > > > > distributed across most TLPs. The chances are the project(s) you > > > > contribute to is(are) affected. A list of projects and the number of > > > > affected Javadoc instances per project is provided at the end of this e- > > mail. > > > > > > > > Please take the necessary steps to fix any currently published > > > > Javadoc and to ensure that any future Javadoc published by your > > > > project does not contain the vulnerability. The announcement by > > > > Oracle includes a link to a tool that can be used to fix Javadoc without > > regeneration. > > > > > > > > The infrastructure team is investigating options for preventing the > > > > publication of vulnerable Javadoc. > > > > > > > > The issue is public and may be discussed freely on your project's dev > list. > > > > > > > > Thanks, > > > > > > > > Mark (ASF Infra) > > > > > > > > > > > > > > > > [1] > > > > http://www.oracle.com/technetwork/topics/security/javacpujun2013- > > > > 1899847.html > > > > [2] http://www.kb.cert.org/vuls/id/225657 > > > > > > > > Project Instances > > > > abdera.apache.org 1 > > > > accumulo.apache.org 2 > > > > activemq.apache.org 105 > > > > any23.apache.org 13 > > > > archiva.apache.org 4 > > > > archive.apache.org 13 > > > > aries.apache.org 7 > > > > avro.apache.org 23 > > > > axis.apache.org 5 > > > > beehive.apache.org 16 > > > > bval.apache.org 12 > > > > camel.apache.org 786 > > > > cayenne.apache.org 4 > > > > chemistry.apache.org 6 > > > > click.apache.org 3 > > > > cocoon.apache.org 6 > > > > commons.apache.org 34 > > > > continuum.apache.org 9 > > > > creadur.apache.org 19 > > > > crunch.apache.org 4 > > > > ctakes.apache.org 2 > > > > curator.apache.org 4 > > > > cxf.apache.org 6 > > > > db.apache.org 39 > > > > directory.apache.org 4 > > > > empire-db.apache.org 1 > > > > felix.apache.org 5 > > > > flume.apache.org 5 > > > > geronimo.apache.org 241 > > > > giraph.apache.org 6 > > > > gora.apache.org 3 > > > > hadoop.apache.org 21 > > > > hbase.apache.org 2 > > > > hive.apache.org 4 > > > > hivemind.apache.org 10 > > > > incubator.apache.org 355 > > > > jackrabbit.apache.org 9 > > > > jakarta.apache.org 39 > > > > james.apache.org 53 > > > > jena.apache.org 5 > > > > juddi.apache.org 3 > > > > lenya.apache.org 46 > > > > logging.apache.org 111 > > > > lucene.apache.org 713 > > > > manifoldcf.apache.org 112 > > > > marmotta.apache.org 1 > > > > maven.apache.org 1623 > > > > maventest.apache.org 1178 > > > > mina.apache.org 2 > > > > mrunit.apache.org 3 > > > > myfaces.apache.org 348 > > > > nutch.apache.org 8 > > > > oltu.apache.org 11 > > > > oodt.apache.org 1 > > > > ooo-site.apache.org 1 > > > > oozie.apache.org 10 > > > > openjpa.apache.org 20 > > > > opennlp.apache.org 9 > > > > pdfbox.apache.org 1 > > > > pig.apache.org 7 > > > > pivot.apache.org 1 > > > > poi.apache.org 1 > > > > portals.apache.org 35 > > > > river.apache.org 2 > > > > santuario.apache.org 1 > > > > shale.apache.org 55 > > > > shiro.apache.org 3 > > > > sling.apache.org 2 > > > > sqoop.apache.org 4 > > > > struts.apache.org 190 > > > > subversion.apache.org 3 > > > > synapse.apache.org 1 > > > > syncope.apache.org 2 > > > > tapestry.apache.org 6 > > > > tika.apache.org 9 > > > > tiles.apache.org 12 > > > > turbine.apache.org 100 > > > > tuscany.apache.org 4 > > > > uima.apache.org 12 > > > > velocity.apache.org 41 > > > > whirr.apache.org 2 > > > > wicket.apache.org 3 > > > > wink.apache.org 13 > > > > ws.apache.org 22 > > > > xalan.apache.org 1 > > > > xerces.apache.org 5 > > > > xml.apache.org 1 > > > > xmlbeans.apache.org 3 > > > > zookeeper.apache.org 18 > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] For > > > additional commands, e-mail: [email protected] > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] For additional > > commands, e-mail: [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
