I wasn't able to quickly determine how to detect or exploit this by reviewing the recent security advisories about the issue. Maybe someone else will have more time or better luck spotting the wanted info.
http://www.kb.cert.org/vuls/id/225657 http://xforce.iss.net/xforce/xfdb/84715 http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html On Tue, Jul 9, 2013 at 4:23 PM, Andrus Adamchik <and...@objectstyle.org> wrote: > Mike, thanks for the research. Just committed javadoc plugin upgrade to all > active branches (CAY-1845). I hope we are all set. (wonder if this can be > verified by checking the generated javadocs somehow?) > > Andrus > > On Jul 9, 2013, at 4:20 PM, Mike Kienenberger <mkien...@gmail.com> wrote: > >> LUCENE's issue stated in the comments that the Oracle tool shouldn't >> be used (apparently it can be integrated with maven). It also stated >> that there was a simple way to duplicate the functionality using >> maven, but I didn't immediately see what that was: >> >> Here's the thread it had on that: >> >> https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185 >> >> This seems to point to https://issues.apache.org/jira/browse/MPOM-46 >> as one solution later on in the comments >> >> Which seems to be a matter of updating the maven-javadoc-plugin >> version from 2.9 to 2.9.1. Maybe that's all we need as well? If >> not, I'm guessing you could diff the changes between versions 2.9 to >> 2.9.1 and find the solution in a maven environment? >> >> http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692 >> >> --- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691 >> +++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692 >> @@ -184,7 +184,7 @@ >> <plugin> >> <groupId>org.apache.maven.plugins</groupId> >> <artifactId>maven-javadoc-plugin</artifactId> >> - <version>2.9</version> >> + <version>2.9.1</version> >> </plugin> >> >> On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <mkien...@gmail.com> wrote: >>>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <a...@maniatis.org> wrote: >>>>> Did we change the javadoc build process to avoid the javadoc security >>>>> flaw recently discovered? I patched the website javadocs, but I'm not >>>>> sure if we also have to change something in our maven build process or >>>>> upgrade some plugin. >>> >>> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <and...@objectstyle.org> >>> wrote: >>>> Me neither. Probably some research is in order. Should we take this to a >>>> separate thread? >>> >>> Maybe you can copy what some other project has done. >>> >>> I saw a notice about it for tomcat but I believe it is built with ant. >>> >>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119 >>> >>> That notice pointed to Lucene, but it says it was built with ivy. >>> >>> https://issues.apache.org/jira/browse/LUCENE-5072 >>> >>> So I didn't find a pointer to a maven-based fix. >> >
