maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Olivier Lamy (JIRA)" <j...@codehaus.org>
Subject [jira] (MJAVADOC-370) Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2])
Date Mon, 24 Jun 2013 10:21:03 GMT

     [ https://jira.codehaus.org/browse/MJAVADOC-370?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Olivier Lamy updated MJAVADOC-370:
----------------------------------

    Attachment:     (was: MJAVADOC-370.patch)
    
> Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2]) 
> ---------------------------------------------------------
>
>                 Key: MJAVADOC-370
>                 URL: https://jira.codehaus.org/browse/MJAVADOC-370
>             Project: Maven 2.x Javadoc Plugin
>          Issue Type: Improvement
>            Reporter: SebbASF
>            Assignee: Olivier Lamy
>            Priority: Blocker
>             Fix For: 2.9.1
>
>         Attachments: MJAVADOC-370.patch
>
>
> As per the Maven dev list:
> I expect you have all see the news about the Javadoc javascript bug.
> It's going to take a long time for everyone to update their Java
> installations to Java 1.7 u25. Likewise for builds that need to use
> other Java versions, tweaking poms so Java 7 is used for Javadocs
> whilst still maintaining compatibility is a non-trivial task.
> Is there any interest in releasing a "quick-fix" version of the
> javadoc plugin that automatically runs the tool after Javadoc
> completes?
> The fix code is in Java, and can easily be directly called from the
> plugin (no need to start a new process).
> The license looks friendly so long as the code is only used for
> Javadoc fixups, and changes are allowed, which is just as well -
> There are a couple of bugs in the tool as currently released.
> It does not close all the resources; and failure to close the input
> file means it cannot delete the original input file on Windows; that
> needs to be fixed as it would not make sense to keep the old faulty
> file (even if it is now called index.html.orig).
> I can provide details of the fixes, but a decent IDE will probably
> warn about them anyway.
> It would be a great service to the Java community if this could be fast-tracked.
> [1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
> [2]http://www.kb.cert.org/vuls/id/225657

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message