hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject CVE-2013-1571, VU#225657 - how to apply Javadoc fix in future
Date Wed, 19 Jun 2013 11:05:50 GMT
Quoted from posting to Tomcat dev:

"Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1],
VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java
7 < 7u25 is vulnerable to a frame injection attack. Oracle has
provided a repair-in-place tool for Javadoc that cannot be easily
regenerated, but is urging developers to regenerate whatever Javadoc
they can using Java 7u25. For all practical purses, the vulnerability
really only applies to publicly-hosted Javadoc, so the Javadoc in our
existing Maven artifacts, downloads, and archived downloads really
doesn't have to be worried about (not that we could do anything about

I have fixed all the existing Javadocs I could find in HC.

Going forward, I see the following options:
- always build Javadocs using Java 1.7u25 or later which has the fixed
Javadoc tool
- always run the JavadocFix tool after creating Javadocs and before
committing site/packaging into jars
- don't provide Javadoc (!)
- any others?

I don't think it's going to be easy to ensure that the correct Javadoc
tool is always used, so it's probably better to plan to run the
in-place fixup tool immediately after creating any Javadoc.

It's trivial to run the tool manually on a local copy of Javadocs (and
it's reasonably fast).

But ideally this would need to be integrated into the build process
following any javadoc run.
Not sure how easy this will be in Maven; hopefully we can hook into
the build cycle at the right place.

[1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
[2] http://www.kb.cert.org/vuls/id/225657

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message