On 19 June 2013 16:06, Oleg Kalnichevski <[email protected]> wrote: > On Wed, 2013-06-19 at 12:05 +0100, sebb wrote: >> Quoted from posting to Tomcat dev: >> >> "Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], >> VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java >> 7 < 7u25 is vulnerable to a frame injection attack. Oracle has >> provided a repair-in-place tool for Javadoc that cannot be easily >> regenerated, but is urging developers to regenerate whatever Javadoc >> they can using Java 7u25. For all practical purses, the vulnerability >> really only applies to publicly-hosted Javadoc, so the Javadoc in our >> existing Maven artifacts, downloads, and archived downloads really >> doesn't have to be worried about (not that we could do anything about >> it)." >> >> I have fixed all the existing Javadocs I could find in HC. >> >> Going forward, I see the following options: >> - always build Javadocs using Java 1.7u25 or later which has the fixed >> Javadoc tool >> - always run the JavadocFix tool after creating Javadocs and before >> committing site/packaging into jars >> - don't provide Javadoc (!) >> - any others? >> >> I don't think it's going to be easy to ensure that the correct Javadoc >> tool is always used, so it's probably better to plan to run the >> in-place fixup tool immediately after creating any Javadoc. >> >> It's trivial to run the tool manually on a local copy of Javadocs (and >> it's reasonably fast). >> >> But ideally this would need to be integrated into the build process >> following any javadoc run. >> Not sure how easy this will be in Maven; hopefully we can hook into >> the build cycle at the right place. >> > > I suspect there will be quite a few projects scrambling to address the > same issue. It might be worthwhile to approach Maven developers and see > if they might be willing to integrate JavadocFix into Maven Javadoc > plugin and cut an emergency release.
Good idea; I posted a message about it. Meanwhile I have been working on a Commons plugin that could be plugged into poms. Partly out of interest, partly insurance policy! > Oleg > > >> [1] >> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html >> [2] http://www.kb.cert.org/vuls/id/225657 >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
