hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: CVE-2013-1571, VU#225657 - how to apply Javadoc fix in future
Date Wed, 19 Jun 2013 15:06:48 GMT
On Wed, 2013-06-19 at 12:05 +0100, sebb wrote:
> Quoted from posting to Tomcat dev:
> 
> "Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1],
> VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java
> 7 < 7u25 is vulnerable to a frame injection attack. Oracle has
> provided a repair-in-place tool for Javadoc that cannot be easily
> regenerated, but is urging developers to regenerate whatever Javadoc
> they can using Java 7u25. For all practical purses, the vulnerability
> really only applies to publicly-hosted Javadoc, so the Javadoc in our
> existing Maven artifacts, downloads, and archived downloads really
> doesn't have to be worried about (not that we could do anything about
> it)."
> 
> I have fixed all the existing Javadocs I could find in HC.
> 
> Going forward, I see the following options:
> - always build Javadocs using Java 1.7u25 or later which has the fixed
> Javadoc tool
> - always run the JavadocFix tool after creating Javadocs and before
> committing site/packaging into jars
> - don't provide Javadoc (!)
> - any others?
> 
> I don't think it's going to be easy to ensure that the correct Javadoc
> tool is always used, so it's probably better to plan to run the
> in-place fixup tool immediately after creating any Javadoc.
> 
> It's trivial to run the tool manually on a local copy of Javadocs (and
> it's reasonably fast).
> 
> But ideally this would need to be integrated into the build process
> following any javadoc run.
> Not sure how easy this will be in Maven; hopefully we can hook into
> the build cycle at the right place.
> 

I suspect there will be quite a few projects scrambling to address the
same issue. It might be worthwhile to approach Maven developers and see
if they might be willing to integrate JavadocFix into Maven Javadoc
plugin and cut an emergency release.

Oleg


> [1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
> [2] http://www.kb.cert.org/vuls/id/225657
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message