logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralph Goers (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LOG4J2-289) Change Javadoc generation per CVE-2013-1571, VU#225657
Date Fri, 05 Jul 2013 06:29:48 GMT

    [ https://issues.apache.org/jira/browse/LOG4J2-289?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13700476#comment-13700476

Ralph Goers commented on LOG4J2-289:

Updated javadoc plugin version to 2.9.1 which contains the fix for this issue.
> Change Javadoc generation per CVE-2013-1571, VU#225657
> ------------------------------------------------------
>                 Key: LOG4J2-289
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-289
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 2.0-beta7
>            Reporter: Nick Williams
>            Priority: Critical
>             Fix For: 2.0-beta8
>   Original Estimate: 1h
>  Remaining Estimate: 1h
> Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2]) whereby
Javadoc generated with Java 5, Java 6, or Java 7 < 7u25 is vulnerable to a frame injection
attack. Oracle has provided a repair-in-place tool for Javadoc that cannot be easily regenerated,
but is urging developers to regenerate whatever Javadoc they can using Java 7u25. For all
practical purses, the vulnerability really only applies to publicly-hosted Javadoc, so the
Javadoc in our existing Maven artifacts really doesn't have to be worried about (not that
we could do anything about it). My thoughts on this:
> 1) We should apply the repair-in-place tool ASAP to the Javadoc on the website for Log4j
1 and Log4j 2.
> 2) Future Log4j 1 and 2 Javadoc should be generated with 7u25 or better. There will be
no fix for Java 5 or 6. Thankfully, generating Javadoc using a different JDK than you used
to compile is quite easy in both Maven and Ant. In fact, I prefer it that way, because the
Javadoc is much more visually attractive in Java 7.
> [1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
> [2] http://www.kb.cert.org/vuls/id/225657

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org

View raw message