Return-Path: X-Original-To: apmail-hc-dev-archive@www.apache.org Delivered-To: apmail-hc-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E5592C99F for ; Wed, 19 Jun 2013 11:06:17 +0000 (UTC) Received: (qmail 23708 invoked by uid 500); 19 Jun 2013 11:06:17 -0000 Delivered-To: apmail-hc-dev-archive@hc.apache.org Received: (qmail 23678 invoked by uid 500); 19 Jun 2013 11:06:17 -0000 Mailing-List: contact dev-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpComponents Project" Delivered-To: mailing list dev@hc.apache.org Received: (qmail 23665 invoked by uid 99); 19 Jun 2013 11:06:17 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Jun 2013 11:06:17 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of sebbaz@gmail.com designates 209.85.212.177 as permitted sender) Received: from [209.85.212.177] (HELO mail-wi0-f177.google.com) (209.85.212.177) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Jun 2013 11:06:12 +0000 Received: by mail-wi0-f177.google.com with SMTP id ey16so506285wid.16 for ; Wed, 19 Jun 2013 04:05:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=BI4mdiEsbf9P/IS7h9HTT1QilZUPZVLMhLMOWak1HPU=; b=YVY9u+A/bAh6u4P0PQzOH/fadbkBEkqm9NOJuq2ggb5q2CHpQqAbfS8SFAmHuprrdp mtLFoDnI65Rb2oG5I+706HhLXgWAgmFOmM2zGeyhQc7aWYjqh03Tq2nqZkDFKEL+xTjz Jrss5L+HyjBIK3WAb10Qb58T+V5TnL8IxdtFh0l6ESG4LV2+gaYspbX5ECo/bUULuAeO Hjw0KJVFfH6OcEGsZyoACLebt2Gl/fXUYpnfkn660Oq0c5MCnft0P+aDtNJI2GLLKmSo +mweYJqlfdsjJaNclj7Q8Zwi4pxSFRbj6IucjV3YJayU19e/Xi0oP4goD4WRDnFq9CWy V8dA== MIME-Version: 1.0 X-Received: by 10.180.86.38 with SMTP id m6mr10531029wiz.25.1371639950949; Wed, 19 Jun 2013 04:05:50 -0700 (PDT) Received: by 10.194.152.103 with HTTP; Wed, 19 Jun 2013 04:05:50 -0700 (PDT) Date: Wed, 19 Jun 2013 12:05:50 +0100 Message-ID: Subject: CVE-2013-1571, VU#225657 - how to apply Javadoc fix in future From: sebb To: dev@hc.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org Quoted from posting to Tomcat dev: "Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java 7 < 7u25 is vulnerable to a frame injection attack. Oracle has provided a repair-in-place tool for Javadoc that cannot be easily regenerated, but is urging developers to regenerate whatever Javadoc they can using Java 7u25. For all practical purses, the vulnerability really only applies to publicly-hosted Javadoc, so the Javadoc in our existing Maven artifacts, downloads, and archived downloads really doesn't have to be worried about (not that we could do anything about it)." I have fixed all the existing Javadocs I could find in HC. Going forward, I see the following options: - always build Javadocs using Java 1.7u25 or later which has the fixed Javadoc tool - always run the JavadocFix tool after creating Javadocs and before committing site/packaging into jars - don't provide Javadoc (!) - any others? I don't think it's going to be easy to ensure that the correct Javadoc tool is always used, so it's probably better to plan to run the in-place fixup tool immediately after creating any Javadoc. It's trivial to run the tool manually on a local copy of Javadocs (and it's reasonably fast). But ideally this would need to be integrated into the build process following any javadoc run. Not sure how easy this will be in Maven; hopefully we can hook into the build cycle at the right place. [1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html [2] http://www.kb.cert.org/vuls/id/225657 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org For additional commands, e-mail: dev-help@hc.apache.org