Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
> Hi All,
>
> Oracle has announced [1], [2] a frame injection vulnerability in
> Javadoc generated by Java 5, Java 6 and Java 7 before update 22.
>
> The infrastructure team has completed a scan of our current project
> websites and identified over 6000 instances of vulnerable Javadoc
> distributed across most TLPs. The chances are the project(s) you
> contribute to is(are) affected. A list of projects and the number of
> affected Javadoc instances per project is provided at the end of this
> e-mail.
>
> Please take the necessary steps to fix any currently published Javadoc
> and to ensure that any future Javadoc published by your project does
> not contain the vulnerability. The announcement by Oracle includes a
> link to a tool that can be used to fix Javadoc without regeneration.
>
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
>
> The issue is public and may be discussed freely on your project's dev list.
>
> Thanks,
>
> Mark (ASF Infra)
>
>
>
> [1]
> http://www.oracle.com/technetwork/topics/security/javacpujun2013-18998
> 47.html [2] http://www.kb.cert.org/vuls/id/225657
> ctakes.apache.org 2