On 19 June 2013 13:12, sebb <seb...@gmail.com> wrote: > On 19 June 2013 13:03, Nick Williams <nicho...@nicholaswilliams.net> wrote: >> >> On Jun 19, 2013, at 3:15 AM, Mark Thomas wrote: >> >>> On 19/06/2013 00:42, Nick Williams wrote: >>>> Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], >>>> VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java >>>> 7 < 7u25 is vulnerable to a frame injection attack. Oracle has >>>> provided a repair-in-place tool for Javadoc that cannot be easily >>>> regenerated, but is urging developers to regenerate whatever Javadoc >>>> they can using Java 7u25. For all practical purses, the vulnerability >>>> really only applies to publicly-hosted Javadoc, so the Javadoc in our >>>> existing Maven artifacts, downloads, and archived downloads really >>>> doesn't have to be worried about (not that we could do anything about >>>> it). My thoughts on this: >>>> >>>> 1) We should apply the repair-in-place tool ASAP to the Javadoc on >>>> the website for Tomcat 6 and Tomcat 7. >>> >>> And Tomcat 5 and earlier. The javadoc for those isn't linked but remains >>> available. >>> >>> I'll get on to this now. >>> >>>> 2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or >>>> better. >>> >>> Hmm. That will need some thought as the build needs to be run with the >>> minimum Java version required for that major version. Maybe we can just run >>> the Javadoc part with a different JDK. Either that, or run the fix tool >>> over the result. This needs some investigation. > > I'd recommend running the fix tool after running javadoc; it's quick > and the license looks OK to include in an SVN build tools area. > > It's not just that you have to use Java 7, you have to use Java 7 u25 or > later. > Can that be detected reliably?
Just to make it more fun, the javadoc tool does not display its version... >> As long as Ant knows where to find the JDK (environmental variable or >> something) it can generate Javadoc with Java 7 while Ant runs with Java 5/6. >> Ant does not have to run with Java 7. See the Ant documentation for the >> Javadoc task [1], refer to the "executable" attribute. By default Ant looks >> for "javadoc" in the same JDK Ant as running under, but you can specify a >> path to a different JDK using the executable attribute. Only downside is >> that the building instructions will have to say that Java _ /and/ Java 7u25 >> are required to build, and that a certain environmental variable has to >> exist pointing to the JDK7 installation. Might be best to make this >> "conditional" so that it falls back to the default if it can't find Java 7 >> (makes it easier for home builders). >> >> [1] http://ant.apache.org/manual/Tasks/javadoc.html >> >>> >>>> There will be no fix for Java 5 or 6. Thankfully, generating >>>> Javadoc using a different JDK than you used to compile is quite easy >>>> in both Maven and Ant. In fact, I personally prefer it that way, >>>> because the Javadoc is much more visually attractive in Java 7. >>> >>> Hopefully it will be as simple as you suggest. >>> >>>> I will file an issue about this two, but I wanted to go ahead and >>>> make the list aware. >>> >>> Thanks, >>> >>> Mark >>> >>> >>>> Nick >>>> >>>> [1] >>>> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html >>>> >>>> >>> [2] http://www.kb.cert.org/vuls/id/225657 >>>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: dev-h...@tomcat.apache.org >>> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
