I have updated all (17 instances) the javadoc with the prescribed patch that are published in the OpenJPA home site. The remaining are generated in daily doc build by the BuildBot process. Infrastructure team confirmed they have updated the JDK on those build systems. The OpenJPA Javadoc will be built with proper doc generation next time BuildBot kicks in.
Regards, Albert Lee. ---------- Forwarded message ---------- From: Gavin McDonald <[email protected]> Date: Thu, Jun 20, 2013 at 8:11 PM Subject: RE: [SECURITY] Frame injection vulnerability in published Javadoc To: Albert Lee <[email protected]>, [email protected] Yep,**** ** ** I’ve gone through and patched the already published javadocs for all projects on buildbot master, then backtraced to the affected host slaves that built them and upgraded those.**** As all projects do a clobber before re-publishing javadocs I think we are fine going forwards.**** ** ** Gav…**** ** ** ** ** *From:* Albert Lee [mailto:[email protected]] *Sent:* Friday, 21 June 2013 2:47 AM *To:* [email protected] *Subject:* Fwd: [SECURITY] Frame injection vulnerability in published Javadoc**** ** ** OpenJPA uses buildbot to generate JavaDoc on a daily basis. **** I assume the JDK used in the buildbot systems have the appropriate JDK updated to prevent this vulnerability. **** Please confirm.**** Thanks, Albert Lee.**** ** ** ---------- Forwarded message ---------- From: *Mark Thomas* <[email protected]> Date: Thu, Jun 20, 2013 at 3:29 AM Subject: [SECURITY] Frame injection vulnerability in published Javadoc To: [email protected] Cc: [email protected] Hi All, Oracle has announced [1], [2] a frame injection vulnerability in Javadoc generated by Java 5, Java 6 and Java 7 before update 22. The infrastructure team has completed a scan of our current project websites and identified over 6000 instances of vulnerable Javadoc distributed across most TLPs. The chances are the project(s) you contribute to is(are) affected. A list of projects and the number of affected Javadoc instances per project is provided at the end of this e-mail. Please take the necessary steps to fix any currently published Javadoc and to ensure that any future Javadoc published by your project does not contain the vulnerability. The announcement by Oracle includes a link to a tool that can be used to fix Javadoc without regeneration. The infrastructure team is investigating options for preventing the publication of vulnerable Javadoc. The issue is public and may be discussed freely on your project's dev list. Thanks, Mark (ASF Infra) [1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html [2] http://www.kb.cert.org/vuls/id/225657 Project Instances abdera.apache.org 1 accumulo.apache.org 2 activemq.apache.org 105 any23.apache.org 13 archiva.apache.org 4 archive.apache.org 13 aries.apache.org 7 avro.apache.org 23 axis.apache.org 5 beehive.apache.org 16 bval.apache.org 12 camel.apache.org 786 cayenne.apache.org 4 chemistry.apache.org 6 click.apache.org 3 cocoon.apache.org 6 commons.apache.org 34 continuum.apache.org 9 creadur.apache.org 19 crunch.apache.org 4 ctakes.apache.org 2 curator.apache.org 4 cxf.apache.org 6 db.apache.org 39 directory.apache.org 4 empire-db.apache.org 1 felix.apache.org 5 flume.apache.org 5 geronimo.apache.org 241 giraph.apache.org 6 gora.apache.org 3 hadoop.apache.org 21 hbase.apache.org 2 hive.apache.org 4 hivemind.apache.org 10 incubator.apache.org 355 jackrabbit.apache.org 9 jakarta.apache.org 39 james.apache.org 53 jena.apache.org 5 juddi.apache.org 3 lenya.apache.org 46 logging.apache.org 111 lucene.apache.org 713 manifoldcf.apache.org 112 marmotta.apache.org 1 maven.apache.org 1623 maventest.apache.org 1178 mina.apache.org 2 mrunit.apache.org 3 myfaces.apache.org 348 nutch.apache.org 8 oltu.apache.org 11 oodt.apache.org 1 ooo-site.apache.org 1 oozie.apache.org 10 openjpa.apache.org 20 opennlp.apache.org 9 pdfbox.apache.org 1 pig.apache.org 7 pivot.apache.org 1 poi.apache.org 1 portals.apache.org 35 river.apache.org 2 santuario.apache.org 1 shale.apache.org 55 shiro.apache.org 3 sling.apache.org 2 sqoop.apache.org 4 struts.apache.org 190 subversion.apache.org 3 synapse.apache.org 1 syncope.apache.org 2 tapestry.apache.org 6 tika.apache.org 9 tiles.apache.org 12 turbine.apache.org 100 tuscany.apache.org 4 uima.apache.org 12 velocity.apache.org 41 whirr.apache.org 2 wicket.apache.org 3 wink.apache.org 13 ws.apache.org 22 xalan.apache.org 1 xerces.apache.org 5 xml.apache.org 1 xmlbeans.apache.org 3 zookeeper.apache.org 18 **** -- Albert Lee. **** -- Albert Lee.
