tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: CVE-2013-1571, VU#225657
Date Wed, 19 Jun 2013 10:13:51 GMT
2013/6/19 Mark Thomas <markt@apache.org>:
> On 19/06/2013 09:15, Mark Thomas wrote:
>>
>> On 19/06/2013 00:42, Nick Williams wrote:
>>>
>>> Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1],
>>> VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java
>>> 7 < 7u25 is vulnerable to a frame injection attack. Oracle has
>>> provided a repair-in-place tool for Javadoc that cannot be easily
>>> regenerated, but is urging developers to regenerate whatever Javadoc
>>> they can using Java 7u25. For all practical purses, the vulnerability
>>> really only applies to publicly-hosted Javadoc, so the Javadoc in our
>>> existing Maven artifacts, downloads, and archived downloads really
>>> doesn't have to be worried about (not that we could do anything about
>>> it). My thoughts on this:
>>>
>>> 1) We should apply the repair-in-place tool ASAP to the Javadoc on
>>> the website for Tomcat 6 and Tomcat 7.
>>
>>
>> And Tomcat 5 and earlier. The javadoc for those isn't linked but remains
>> available.
>
>
> Tomcat 5 and earlier are OK as their Javadoc was generated with Java 1.4 and
> earlier.
>

Ack. Javadocs in Tomcat 5.5 do not have <SCRIPT> code in their index files.

BTW, the Tomcat 6,7,8 documentation as published by buildbot does not
include javadoc. We are OK there.

>
>> I'll get on to this now.
>
>
> Done.
>
> It is just the index file that changes so that increases the options we have
> for dealing with this.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message