https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
Bug ID: 55119
Summary: Change Javadoc generation per CVE-2013-1571, VU#225657
Product: Tomcat 6
Version: 6.0.37
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: P2
Component: Documentation
Assignee: dev@tomcat.apache.org
Reporter: nicho...@nicholaswilliams.net
Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2])
whereby Javadoc generated with Java 5, Java 6, or Java 7 < 7u25 is vulnerable
to a frame injection attack. Oracle has provided a repair-in-place tool for
Javadoc that cannot be easily regenerated, but is urging developers to
regenerate whatever Javadoc they can using Java 7u25. For all practical purses,
the vulnerability really only applies to publicly-hosted Javadoc, so the
Javadoc in our existing Maven artifacts, downloads, and archived downloads
really doesn't have to be worried about (not that we could do anything about
it). My thoughts on this:
1) We should apply the repair-in-place tool ASAP to the Javadoc on the website
for Tomcat 6 and Tomcat 7.
2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or better. There
will be no fix for Java 5 or 6. Thankfully, generating Javadoc using a
different JDK than you used to compile is quite easy in both Maven and Ant. In
fact, I personally prefer it that way, because the Javadoc is much more
visually attractive in Java 7.
I will file an issue about this two, but I wanted to go ahead and make the list
aware.
Nick
[1]
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
[2] http://www.kb.cert.org/vuls/id/225657
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
