maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Olivier Lamy (JIRA)" <>
Subject [jira] (MJAVADOC-370) Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2])
Date Mon, 24 Jun 2013 10:21:03 GMT


Olivier Lamy updated MJAVADOC-370:

    Attachment:     (was: MJAVADOC-370.patch)
> Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2]) 
> ---------------------------------------------------------
>                 Key: MJAVADOC-370
>                 URL:
>             Project: Maven 2.x Javadoc Plugin
>          Issue Type: Improvement
>            Reporter: SebbASF
>            Assignee: Olivier Lamy
>            Priority: Blocker
>             Fix For: 2.9.1
>         Attachments: MJAVADOC-370.patch
> As per the Maven dev list:
> I expect you have all see the news about the Javadoc javascript bug.
> It's going to take a long time for everyone to update their Java
> installations to Java 1.7 u25. Likewise for builds that need to use
> other Java versions, tweaking poms so Java 7 is used for Javadocs
> whilst still maintaining compatibility is a non-trivial task.
> Is there any interest in releasing a "quick-fix" version of the
> javadoc plugin that automatically runs the tool after Javadoc
> completes?
> The fix code is in Java, and can easily be directly called from the
> plugin (no need to start a new process).
> The license looks friendly so long as the code is only used for
> Javadoc fixups, and changes are allowed, which is just as well -
> There are a couple of bugs in the tool as currently released.
> It does not close all the resources; and failure to close the input
> file means it cannot delete the original input file on Windows; that
> needs to be fixed as it would not make sense to keep the old faulty
> file (even if it is now called index.html.orig).
> I can provide details of the fixes, but a decent IDE will probably
> warn about them anyway.
> It would be a great service to the Java community if this could be fast-tracked.
> [1]
> [2]

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message