ant-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bode...@apache.org
Subject svn commit: r1496052 - in /ant/site/ant: production/faq.html production/manual/Tasks/javadoc.html sources/faq.xml
Date Mon, 24 Jun 2013 13:48:09 GMT
Author: bodewig
Date: Mon Jun 24 13:48:08 2013
New Revision: 1496052

URL: http://svn.apache.org/r1496052
Log:
FAQ about javadoc vulnerability

Modified:
    ant/site/ant/production/faq.html
    ant/site/ant/production/manual/Tasks/javadoc.html
    ant/site/ant/sources/faq.xml

Modified: ant/site/ant/production/faq.html
URL: http://svn.apache.org/viewvc/ant/site/ant/production/faq.html?rev=1496052&r1=1496051&r2=1496052&view=diff
==============================================================================
--- ant/site/ant/production/faq.html (original)
+++ ant/site/ant/production/faq.html Mon Jun 24 13:48:08 2013
@@ -451,6 +451,10 @@
         with <code>import</code> like the documentation
         states.
       </a></li>
+                <li><a href="#CVE-2013-1571">
+  How do I deal with the javadoc vulnerability
+      CVE-2013-1571
+      </a></li>
             </ul>
     
       <h3 class="section">Answers</h3>
@@ -2397,6 +2401,19 @@ build.xml:
    &lt;import file=&quot;importing.xml&quot;/&gt;
 &lt;/project&gt;
 </pre>
+                    <p class="faq">
+      <a name="CVE-2013-1571"></a>
+      How do I deal with the javadoc vulnerability
+      CVE-2013-1571
+    </p>
+                  <p>There is a frame injection bug in Javadocs as produced by
+        all Oracle JDK's javadoc tool prior to Java 7 update 25.</p>
+                        <p>If you cannot upgrade your JDK you can use the patchtool
+        provided by Oracle.  Alternatively the <code>macrodef</code>
+        provided as part of <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=55132">Issue
+        55132</a> can be used as part of your build process.</p>
+                        <p>Ant 1.9.2 will postprocess the generated javadocs as part
+        of the javadoc task.</p>
                     </div>
   </div>
 

Modified: ant/site/ant/production/manual/Tasks/javadoc.html
URL: http://svn.apache.org/viewvc/ant/site/ant/production/manual/Tasks/javadoc.html?rev=1496052&r1=1496051&r2=1496052&view=diff
==============================================================================
--- ant/site/ant/production/manual/Tasks/javadoc.html (original)
+++ ant/site/ant/production/manual/Tasks/javadoc.html Mon Jun 24 13:48:08 2013
@@ -80,6 +80,15 @@ to &lt;javadoc&gt; using <tt>classpath</
   excludepackagenames attribute won't have any effect unless it agrees
   with the exclude patterns of the packageset (and vice versa).</p>
 
+<p><b>Note:</b> javadocs created by Oracle JDKs prior to Java 7 update
+  25 contain a frane injection security vulnerability - for more
+  information
+  see <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571">CVE-2013-1571</a>.
+  Oracle provides a tool that can post-process javadocs, alternatively
+  you can use the macrodef provided as part
+  of <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=55132">Issue
+  55132</a> in order to fix the generated documents.</p>
+
 <h3>Parameters</h3>
 <table border="1" cellpadding="2" cellspacing="0">
   <tr>

Modified: ant/site/ant/sources/faq.xml
URL: http://svn.apache.org/viewvc/ant/site/ant/sources/faq.xml?rev=1496052&r1=1496051&r2=1496052&view=diff
==============================================================================
--- ant/site/ant/sources/faq.xml (original)
+++ ant/site/ant/sources/faq.xml Mon Jun 24 13:48:08 2013
@@ -2080,6 +2080,24 @@ build.xml:
 ]]></source>
       </answer>
     </faq>
+
+    <faq id="CVE-2013-1571">
+      <question>How do I deal with the javadoc vulnerability
+      CVE-2013-1571</question>
+      <answer>
+        <p>There is a frame injection bug in Javadocs as produced by
+        all Oracle JDK's javadoc tool prior to Java 7 update 25.</p>
+
+        <p>If you cannot upgrade your JDK you can use the patchtool
+        provided by Oracle.  Alternatively the <code>macrodef</code>
+        provided as part of <a
+        href="https://issues.apache.org/bugzilla/show_bug.cgi?id=55132">Issue
+        55132</a> can be used as part of your build process.</p>
+
+        <p>Ant 1.9.2 will postprocess the generated javadocs as part
+        of the javadoc task.</p>
+      </answer>
+    </faq>
   </faqsection>
 
 </document>



Mime
View raw message