Author: bodewig
Date: Mon Jun 24 13:48:08 2013
New Revision: 1496052
URL: http://svn.apache.org/r1496052
Log:
FAQ about javadoc vulnerability
Modified:
ant/site/ant/production/faq.html
ant/site/ant/production/manual/Tasks/javadoc.html
ant/site/ant/sources/faq.xml
Modified: ant/site/ant/production/faq.html
URL:
http://svn.apache.org/viewvc/ant/site/ant/production/faq.html?rev=1496052&r1=1496051&r2=1496052&view=diff
==============================================================================
--- ant/site/ant/production/faq.html (original)
+++ ant/site/ant/production/faq.html Mon Jun 24 13:48:08 2013
@@ -451,6 +451,10 @@
with <code>import</code> like the documentation
states.
</a></li>
+ <li><a href="#CVE-2013-1571">
+ How do I deal with the javadoc vulnerability
+ CVE-2013-1571
+ </a></li>
</ul>
<h3 class="section">Answers</h3>
@@ -2397,6 +2401,19 @@ build.xml:
<import file="importing.xml"/>
</project>
</pre>
+ <p class="faq">
+ <a name="CVE-2013-1571"></a>
+ How do I deal with the javadoc vulnerability
+ CVE-2013-1571
+ </p>
+ <p>There is a frame injection bug in Javadocs as produced by
+ all Oracle JDK's javadoc tool prior to Java 7 update 25.</p>
+ <p>If you cannot upgrade your JDK you can use the
patchtool
+ provided by Oracle. Alternatively the <code>macrodef</code>
+ provided as part of <a
href="https://issues.apache.org/bugzilla/show_bug.cgi?id=55132";>Issue
+ 55132</a> can be used as part of your build process.</p>
+ <p>Ant 1.9.2 will postprocess the generated javadocs
as part
+ of the javadoc task.</p>
</div>
</div>
Modified: ant/site/ant/production/manual/Tasks/javadoc.html
URL:
http://svn.apache.org/viewvc/ant/site/ant/production/manual/Tasks/javadoc.html?rev=1496052&r1=1496051&r2=1496052&view=diff
==============================================================================
--- ant/site/ant/production/manual/Tasks/javadoc.html (original)
+++ ant/site/ant/production/manual/Tasks/javadoc.html Mon Jun 24 13:48:08 2013
@@ -80,6 +80,15 @@ to <javadoc> using <tt>classpath</
excludepackagenames attribute won't have any effect unless it agrees
with the exclude patterns of the packageset (and vice versa).</p>
+<p><b>Note:</b> javadocs created by Oracle JDKs prior to Java 7 update
+ 25 contain a frane injection security vulnerability - for more
+ information
+ see <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571";>CVE-2013-1571</a>.
+ Oracle provides a tool that can post-process javadocs, alternatively
+ you can use the macrodef provided as part
+ of <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=55132";>Issue
+ 55132</a> in order to fix the generated documents.</p>
+
<h3>Parameters</h3>
<table border="1" cellpadding="2" cellspacing="0">
<tr>
Modified: ant/site/ant/sources/faq.xml
URL:
http://svn.apache.org/viewvc/ant/site/ant/sources/faq.xml?rev=1496052&r1=1496051&r2=1496052&view=diff
==============================================================================
--- ant/site/ant/sources/faq.xml (original)
+++ ant/site/ant/sources/faq.xml Mon Jun 24 13:48:08 2013
@@ -2080,6 +2080,24 @@ build.xml:
]]></source>
</answer>
</faq>
+
+ <faq id="CVE-2013-1571">
+ <question>How do I deal with the javadoc vulnerability
+ CVE-2013-1571</question>
+ <answer>
+ <p>There is a frame injection bug in Javadocs as produced by
+ all Oracle JDK's javadoc tool prior to Java 7 update 25.</p>
+
+ <p>If you cannot upgrade your JDK you can use the patchtool
+ provided by Oracle. Alternatively the <code>macrodef</code>
+ provided as part of <a
+ href="https://issues.apache.org/bugzilla/show_bug.cgi?id=55132";>Issue
+ 55132</a> can be used as part of your build process.</p>
+
+ <p>Ant 1.9.2 will postprocess the generated javadocs as part
+ of the javadoc task.</p>
+ </answer>
+ </faq>
</faqsection>
</document>
