On 19/06/2013 09:15, Mark Thomas wrote:
On 19/06/2013 00:42, Nick Williams wrote:
Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1],
VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java
7 < 7u25 is vulnerable to a frame injection attack. Oracle has
provided a repair-in-place tool for Javadoc that cannot be easily
regenerated, but is urging developers to regenerate whatever Javadoc
they can using Java 7u25. For all practical purses, the vulnerability
really only applies to publicly-hosted Javadoc, so the Javadoc in our
existing Maven artifacts, downloads, and archived downloads really
doesn't have to be worried about (not that we could do anything about
it). My thoughts on this:
1) We should apply the repair-in-place tool ASAP to the Javadoc on
the website for Tomcat 6 and Tomcat 7.
And Tomcat 5 and earlier. The javadoc for those isn't linked but remains
available.
Tomcat 5 and earlier are OK as their Javadoc was generated with Java 1.4
and earlier.
I'll get on to this now.
Done.
It is just the index file that changes so that increases the options we
have for dealing with this.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
