Maybe we can compare index / toc files before and after and see if there's something obviously different:
index.htm index.html toc.htm toc.html On Tue, Jul 9, 2013 at 4:58 PM, Mike Kienenberger <mkien...@gmail.com> wrote: > I wasn't able to quickly determine how to detect or exploit this by > reviewing the recent security advisories about the issue. Maybe > someone else will have more time or better luck spotting the wanted > info. > > http://www.kb.cert.org/vuls/id/225657 > > http://xforce.iss.net/xforce/xfdb/84715 > > http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html > > > On Tue, Jul 9, 2013 at 4:23 PM, Andrus Adamchik <and...@objectstyle.org> > wrote: >> Mike, thanks for the research. Just committed javadoc plugin upgrade to all >> active branches (CAY-1845). I hope we are all set. (wonder if this can be >> verified by checking the generated javadocs somehow?) >> >> Andrus >> >> On Jul 9, 2013, at 4:20 PM, Mike Kienenberger <mkien...@gmail.com> wrote: >> >>> LUCENE's issue stated in the comments that the Oracle tool shouldn't >>> be used (apparently it can be integrated with maven). It also stated >>> that there was a simple way to duplicate the functionality using >>> maven, but I didn't immediately see what that was: >>> >>> Here's the thread it had on that: >>> >>> https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185 >>> >>> This seems to point to https://issues.apache.org/jira/browse/MPOM-46 >>> as one solution later on in the comments >>> >>> Which seems to be a matter of updating the maven-javadoc-plugin >>> version from 2.9 to 2.9.1. Maybe that's all we need as well? If >>> not, I'm guessing you could diff the changes between versions 2.9 to >>> 2.9.1 and find the solution in a maven environment? >>> >>> http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692 >>> >>> --- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691 >>> +++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692 >>> @@ -184,7 +184,7 @@ >>> <plugin> >>> <groupId>org.apache.maven.plugins</groupId> >>> <artifactId>maven-javadoc-plugin</artifactId> >>> - <version>2.9</version> >>> + <version>2.9.1</version> >>> </plugin> >>> >>> On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <mkien...@gmail.com> >>> wrote: >>>>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <a...@maniatis.org> wrote: >>>>>> Did we change the javadoc build process to avoid the javadoc security >>>>>> flaw recently discovered? I patched the website javadocs, but I'm not >>>>>> sure if we also have to change something in our maven build process or >>>>>> upgrade some plugin. >>>> >>>> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <and...@objectstyle.org> >>>> wrote: >>>>> Me neither. Probably some research is in order. Should we take this to a >>>>> separate thread? >>>> >>>> Maybe you can copy what some other project has done. >>>> >>>> I saw a notice about it for tomcat but I believe it is built with ant. >>>> >>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119 >>>> >>>> That notice pointed to Lucene, but it says it was built with ivy. >>>> >>>> https://issues.apache.org/jira/browse/LUCENE-5072 >>>> >>>> So I didn't find a pointer to a maven-based fix. >>> >>
