[jira] [Commented] (MARMOTTA-263) Fix frame injection bug in javadocs generated with Java 6 (and Java 7 prior u25)

Mon, 24 Jun 2013 10:05:18 -0700 

    [ 
https://issues.apache.org/jira/browse/MARMOTTA-263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13692146#comment-13692146
 ] 

Uwe Schindler commented on MARMOTTA-263:
----------------------------------------

bq. The buildbot+maven environment still uses Java6, so all the workaround in 
the maven plugin (https://jira.codehaus.org/browse/MJAVADOC-370) wouldn't be 
enough...

Why that. The workaround after release of javadocs plugin 2.9.1 is to hot-patch 
the javadocs. You only need to update your pom.xml file to use the 
to-be-released javadoc plugin version.
                
> Fix frame injection bug in javadocs generated with Java 6 (and Java 7 prior 
> u25)
> --------------------------------------------------------------------------------
>
>                 Key: MARMOTTA-263
>                 URL: https://issues.apache.org/jira/browse/MARMOTTA-263
>             Project: Marmotta
>          Issue Type: Bug
>          Components: Website
>            Reporter: Sergio Fernández
>            Assignee: Sergio Fernández
>            Priority: Critical
>              Labels: javadoc, oracle, security
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> The Apache Infra / Security team posted to all committers:
> Hi All,
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc 
> generated by Java 5, Java 6 and Java 7 before update 22.
> [...]
> Please take the necessary steps to fix any currently published Javadoc and to 
> ensure that any future Javadoc published by your project does not contain the 
> vulnerability. The announcement by Oracle includes a link to a tool that can 
> be used to fix Javadoc without regeneration.
> The infrastructure team is investigating options for preventing the 
> publication of vulnerable Javadoc.
> The issue is public and may be discussed freely on your project's dev list.
> Thanks,
> Mark (ASF Infra)
> For the moment, due a bug with multiple reports (see 
> http://jira.codehaus.org/browse/MSHARED-271 for further details), our site 
> only is affected by one instance.
> The buildbot+maven environment still uses Java6, so all the workaround in the 
> maven plugin (https://jira.codehaus.org/browse/MJAVADOC-370) wouldn't be 
> enough...

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to