logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Williams <nicho...@nicholaswilliams.net>
Subject CVE-2013-1571, VU#225657
Date Tue, 18 Jun 2013 23:35:02 GMT
Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2]) whereby Javadoc
generated with Java 5, Java 6, or Java 7 < 7u25 is vulnerable to a frame injection attack.
Oracle has provided a repair-in-place tool for Javadoc that cannot be easily interpreted,
but is urging developers to regenerate whatever Javadoc they can using Java 7u25. For all
practical purses, the vulnerability really only applies to publicly-hosted Javadoc, so the
Javadoc in our existing Maven artifacts really doesn't have to be worried about (not that
we could do anything about it). My thoughts on this:

1) We should apply the repair-in-place tool ASAP to the Javadoc on the website for Log4j 1
and Log4j 2.

2) Future Log4j 1 and 2 Javadoc should be generated with 7u25 or better. There will be no
fix for Java 5 or 6. Thankfully, generating Javadoc using a different JDK than you used to
compile is quite easy in both Maven and Ant. In fact, I prefer it that way, because the Javadoc
is much more visually attractive in Java 7.

I will file an issue about this two, but I wanted to go ahead and make the list aware.

Nick

[1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
[2] http://www.kb.cert.org/vuls/id/225657


---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org


Mime
View raw message