2013/6/19 Mark Thomas <ma...@apache.org>: > On 19/06/2013 09:15, Mark Thomas wrote: >> >> On 19/06/2013 00:42, Nick Williams wrote: >>> >>> Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], >>> VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java >>> 7 < 7u25 is vulnerable to a frame injection attack. Oracle has >>> provided a repair-in-place tool for Javadoc that cannot be easily >>> regenerated, but is urging developers to regenerate whatever Javadoc >>> they can using Java 7u25. For all practical purses, the vulnerability >>> really only applies to publicly-hosted Javadoc, so the Javadoc in our >>> existing Maven artifacts, downloads, and archived downloads really >>> doesn't have to be worried about (not that we could do anything about >>> it). My thoughts on this: >>> >>> 1) We should apply the repair-in-place tool ASAP to the Javadoc on >>> the website for Tomcat 6 and Tomcat 7. >> >> >> And Tomcat 5 and earlier. The javadoc for those isn't linked but remains >> available. > > > Tomcat 5 and earlier are OK as their Javadoc was generated with Java 1.4 and > earlier. >
Ack. Javadocs in Tomcat 5.5 do not have <SCRIPT> code in their index files. BTW, the Tomcat 6,7,8 documentation as published by buildbot does not include javadoc. We are OK there. > >> I'll get on to this now. > > > Done. > > It is just the index file that changes so that increases the options we have > for dealing with this. > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
