tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: CVE-2013-1571, VU#225657
Date Wed, 19 Jun 2013 13:12:31 GMT
2013/6/19 sebb <sebbaz@gmail.com>:
> On 19 June 2013 13:12, sebb <sebbaz@gmail.com> wrote:
>> On 19 June 2013 13:03, Nick Williams <nicholas@nicholaswilliams.net> wrote:
>>>
>>> On Jun 19, 2013, at 3:15 AM, Mark Thomas wrote:
>>>
>>>> On 19/06/2013 00:42, Nick Williams wrote:
>>>>> Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1],
>>>>> VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java
>>>>> 7 < 7u25 is vulnerable to a frame injection attack. Oracle has
>>>>> provided a repair-in-place tool for Javadoc that cannot be easily
>>>>> regenerated, but is urging developers to regenerate whatever Javadoc
>>>>> they can using Java 7u25. For all practical purses, the vulnerability
>>>>> really only applies to publicly-hosted Javadoc, so the Javadoc in our
>>>>> existing Maven artifacts, downloads, and archived downloads really
>>>>> doesn't have to be worried about (not that we could do anything about
>>>>> it). My thoughts on this:
>>>>>
>>>>> 1) We should apply the repair-in-place tool ASAP to the Javadoc on
>>>>> the website for Tomcat 6 and Tomcat 7.
>>>>
>>>> And Tomcat 5 and earlier. The javadoc for those isn't linked but remains
available.
>>>>
>>>> I'll get on to this now.
>>>>
>>>>> 2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or
>>>>> better.
>>>>
>>>> Hmm. That will need some thought as the build needs to be run with the minimum
Java version required for that major version. Maybe we can just run the Javadoc part with
a different JDK. Either that, or run the fix tool over the result. This needs some investigation.
>>
>> I'd recommend running the fix tool after running javadoc; it's quick
>> and the license looks OK to include in an SVN build tools area.
>>
>> It's not just that you have to use Java 7, you have to use Java 7 u25 or later.
>> Can that be detected reliably?
>
> Just to make it more fun, the javadoc tool does not display its version...
>

>javadoc.exe -J-version

java version "1.7.0_21"
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) Client VM (build 23.21-b01, mixed mode, sharing)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message