[jira] [Commented] (NUTCH-1590) [SECURITY] Frame injection vulnerability in published Javadoc

Tue, 17 Jun 2014 08:06:41 -0700 

    [ 
https://issues.apache.org/jira/browse/NUTCH-1590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14033883#comment-14033883
 ] 

Hudson commented on NUTCH-1590:
-------------------------------

SUCCESS: Integrated in Nutch-trunk #2661 (See 
[https://builds.apache.org/job/Nutch-trunk/2661/])
NUTCH-1590 [SECURITY] Frame injection vulnerability in published Javadoc 
(jnioche) (jnioche: 
http://svn.apache.org/viewvc/nutch/trunk/?view=rev&rev=1603179)
* /nutch/trunk/CHANGES.txt
* /nutch/trunk/build.xml


> [SECURITY] Frame injection vulnerability in published Javadoc
> -------------------------------------------------------------
>
>                 Key: NUTCH-1590
>                 URL: https://issues.apache.org/jira/browse/NUTCH-1590
>             Project: Nutch
>          Issue Type: New Feature
>          Components: documentation
>    Affects Versions: 1.7, 2.2
>            Reporter: Lewis John McGibbney
>            Priority: Blocker
>             Fix For: 1.9
>
>         Attachments: NUTCH-1590.patch
>
>
> Hi All,
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc
> distributed across most TLPs. The chances are the project(s) you
> contribute to is(are) affected. A list of projects and the number of
> affected Javadoc instances per project is provided at the end of this
> e-mail.
> Please take the necessary steps to fix any currently published Javadoc
> and to ensure that any future Javadoc published by your project does not
> contain the vulnerability. The announcement by Oracle includes a link to
> a tool that can be used to fix Javadoc without regeneration.
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
> The issue is public and may be discussed freely on your project's dev list.
> [1]
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
> [2] http://www.kb.cert.org/vuls/id/225657
> nutch.apache.org        8



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to