Uploaded image for project: 'Nutch'
  1. Nutch
  2. NUTCH-1590

[SECURITY] Frame injection vulnerability in published Javadoc

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.7, 2.2
    • Fix Version/s: 2.3, 1.9
    • Component/s: documentation
    • Labels:
      None

      Description

      Hi All,

      Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
      generated by Java 5, Java 6 and Java 7 before update 22.

      The infrastructure team has completed a scan of our current project
      websites and identified over 6000 instances of vulnerable Javadoc
      distributed across most TLPs. The chances are the project(s) you
      contribute to is(are) affected. A list of projects and the number of
      affected Javadoc instances per project is provided at the end of this
      e-mail.

      Please take the necessary steps to fix any currently published Javadoc
      and to ensure that any future Javadoc published by your project does not
      contain the vulnerability. The announcement by Oracle includes a link to
      a tool that can be used to fix Javadoc without regeneration.

      The infrastructure team is investigating options for preventing the
      publication of vulnerable Javadoc.

      The issue is public and may be discussed freely on your project's dev list.
      [1]
      http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
      [2] http://www.kb.cert.org/vuls/id/225657

      nutch.apache.org 8

        Attachments

        1. NUTCH-1590.patch
          2 kB
          Julien Nioche

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lewismc Lewis John McGibbney
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: