On 19/06/2013 00:42, Nick Williams wrote:
Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1],
VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java
7 < 7u25 is vulnerable to a frame injection attack. Oracle has
provided a repair-in-place tool for Javadoc that cannot be easily
regenerated, but is urging developers to regenerate whatever Javadoc
they can using Java 7u25. For all practical purses, the vulnerability
really only applies to publicly-hosted Javadoc, so the Javadoc in our
existing Maven artifacts, downloads, and archived downloads really
doesn't have to be worried about (not that we could do anything about
it). My thoughts on this:
1) We should apply the repair-in-place tool ASAP to the Javadoc on
the website for Tomcat 6 and Tomcat 7.
And Tomcat 5 and earlier. The javadoc for those isn't linked but remains
available.
I'll get on to this now.
2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or
better.
Hmm. That will need some thought as the build needs to be run with the
minimum Java version required for that major version. Maybe we can just
run the Javadoc part with a different JDK. Either that, or run the fix
tool over the result. This needs some investigation.
There will be no fix for Java 5 or 6. Thankfully, generating
Javadoc using a different JDK than you used to compile is quite easy
in both Maven and Ant. In fact, I personally prefer it that way,
because the Javadoc is much more visually attractive in Java 7.
Hopefully it will be as simple as you suggest.
I will file an issue about this two, but I wanted to go ahead and
make the list aware.
Thanks,
Mark
Nick
[1]
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
[2] http://www.kb.cert.org/vuls/id/225657
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
