Thanks Sean -- got it. Cheers, Chris
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Chris Mattmann, Ph.D. Senior Computer Scientist NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA Office: 171-266B, Mailstop: 171-246 Email: chris.a.mattm...@nasa.gov WWW: http://sunset.usc.edu/~mattmann/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Adjunct Assistant Professor, Computer Science Department University of Southern California, Los Angeles, CA 90089 USA ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -----Original Message----- From: "ke...@apache.org" <ke...@apache.org> Reply-To: "dev@oodt.apache.org" <dev@oodt.apache.org> Date: Thursday, June 20, 2013 6:18 AM To: "dev@oodt.apache.org" <dev@oodt.apache.org> Subject: Fwd: [SECURITY] Frame injection vulnerability in published Javadoc >See the forwarded message below. Yuck. > >I used the patching tool mentioned to fix OODT's Javadocs online at >http://oodt.apache.org/ > >Whoever cuts the next OODT website MUST use Java 1.7.0_23 or higher. > >--k > >Begin forwarded message: > >> From: Mark Thomas <ma...@apache.org> >> Subject: [SECURITY] Frame injection vulnerability in published Javadoc >> Date: 2013 June 20 3.29.23a CDT >> To: committ...@apache.org >> Cc: r...@apache.org >> Reply-To: "infrastruct...@apache.org" <infrastruct...@apache.org> >> >> Hi All, >> >> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc >> generated by Java 5, Java 6 and Java 7 before update 22. >> >> The infrastructure team has completed a scan of our current project >> websites and identified over 6000 instances of vulnerable Javadoc >> distributed across most TLPs. The chances are the project(s) you >> contribute to is(are) affected. A list of projects and the number of >> affected Javadoc instances per project is provided at the end of this >> e-mail. >> >> Please take the necessary steps to fix any currently published Javadoc >> and to ensure that any future Javadoc published by your project does not >> contain the vulnerability. The announcement by Oracle includes a link to >> a tool that can be used to fix Javadoc without regeneration. >> >> The infrastructure team is investigating options for preventing the >> publication of vulnerable Javadoc. >> >> The issue is public and may be discussed freely on your project's dev >>list. >> >> Thanks, >> >> Mark (ASF Infra) >> >> >> >> [1] >> >>http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847. >>html >> [2] http://www.kb.cert.org/vuls/id/225657 >> >> Project Instances >> abdera.apache.org 1 >> accumulo.apache.org 2 >> activemq.apache.org 105 >> any23.apache.org 13 >> archiva.apache.org 4 >> archive.apache.org 13 >> aries.apache.org 7 >> avro.apache.org 23 >> axis.apache.org 5 >> beehive.apache.org 16 >> bval.apache.org 12 >> camel.apache.org 786 >> cayenne.apache.org 4 >> chemistry.apache.org 6 >> click.apache.org 3 >> cocoon.apache.org 6 >> commons.apache.org 34 >> continuum.apache.org 9 >> creadur.apache.org 19 >> crunch.apache.org 4 >> ctakes.apache.org 2 >> curator.apache.org 4 >> cxf.apache.org 6 >> db.apache.org 39 >> directory.apache.org 4 >> empire-db.apache.org 1 >> felix.apache.org 5 >> flume.apache.org 5 >> geronimo.apache.org 241 >> giraph.apache.org 6 >> gora.apache.org 3 >> hadoop.apache.org 21 >> hbase.apache.org 2 >> hive.apache.org 4 >> hivemind.apache.org 10 >> incubator.apache.org 355 >> jackrabbit.apache.org 9 >> jakarta.apache.org 39 >> james.apache.org 53 >> jena.apache.org 5 >> juddi.apache.org 3 >> lenya.apache.org 46 >> logging.apache.org 111 >> lucene.apache.org 713 >> manifoldcf.apache.org 112 >> marmotta.apache.org 1 >> maven.apache.org 1623 >> maventest.apache.org 1178 >> mina.apache.org 2 >> mrunit.apache.org 3 >> myfaces.apache.org 348 >> nutch.apache.org 8 >> oltu.apache.org 11 >> oodt.apache.org 1 >> ooo-site.apache.org 1 >> oozie.apache.org 10 >> openjpa.apache.org 20 >> opennlp.apache.org 9 >> pdfbox.apache.org 1 >> pig.apache.org 7 >> pivot.apache.org 1 >> poi.apache.org 1 >> portals.apache.org 35 >> river.apache.org 2 >> santuario.apache.org 1 >> shale.apache.org 55 >> shiro.apache.org 3 >> sling.apache.org 2 >> sqoop.apache.org 4 >> struts.apache.org 190 >> subversion.apache.org 3 >> synapse.apache.org 1 >> syncope.apache.org 2 >> tapestry.apache.org 6 >> tika.apache.org 9 >> tiles.apache.org 12 >> turbine.apache.org 100 >> tuscany.apache.org 4 >> uima.apache.org 12 >> velocity.apache.org 41 >> whirr.apache.org 2 >> wicket.apache.org 3 >> wink.apache.org 13 >> ws.apache.org 22 >> xalan.apache.org 1 >> xerces.apache.org 5 >> xml.apache.org 1 >> xmlbeans.apache.org 3 >> zookeeper.apache.org 18 >> >> >
