We likely have this problem too? ---------- Forwarded message ---------- From: <[email protected]> Date: Tue, Jun 18, 2013 at 6:38 PM Subject: [Bug 55118] New: Change Javadoc generation per CVE-2013-1571, VU#225657 To: [email protected]
https://issues.apache.org/bugzilla/show_bug.cgi?id=55118 Bug ID: 55118 Summary: Change Javadoc generation per CVE-2013-1571, VU#225657 Product: Log4j Version: 1.2.19 Hardware: All OS: All Status: NEW Severity: critical Priority: P2 Component: Site & Docs Assignee: [email protected] Reporter: [email protected] CC: [email protected] Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java 7 < 7u25 is vulnerable to a frame injection attack. Oracle has provided a repair-in-place tool for Javadoc that cannot be easily interpreted, but is urging developers to regenerate whatever Javadoc they can using Java 7u25. For all practical purses, the vulnerability really only applies to publicly-hosted Javadoc, so the Javadoc in our existing Maven artifacts really doesn't have to be worried about (not that we could do anything about it). My thoughts on this: 1) We should apply the repair-in-place tool ASAP to the Javadoc on the website for Log4j 1 and Log4j 2. 2) Future Log4j 1 and 2 Javadoc should be generated with 7u25 or better. There will be no fix for Java 5 or 6. Thankfully, generating Javadoc using a different JDK than you used to compile is quite easy in both Maven and Ant. In fact, I prefer it that way, because the Javadoc is much more visually attractive in Java 7. [1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html [2] http://www.kb.cert.org/vuls/id/225657 -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
