On 19 June 2013 13:03, Nick Williams <nicho...@nicholaswilliams.net> wrote: > > On Jun 19, 2013, at 3:15 AM, Mark Thomas wrote: > >> On 19/06/2013 00:42, Nick Williams wrote: >>> Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], >>> VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java >>> 7 < 7u25 is vulnerable to a frame injection attack. Oracle has >>> provided a repair-in-place tool for Javadoc that cannot be easily >>> regenerated, but is urging developers to regenerate whatever Javadoc >>> they can using Java 7u25. For all practical purses, the vulnerability >>> really only applies to publicly-hosted Javadoc, so the Javadoc in our >>> existing Maven artifacts, downloads, and archived downloads really >>> doesn't have to be worried about (not that we could do anything about >>> it). My thoughts on this: >>> >>> 1) We should apply the repair-in-place tool ASAP to the Javadoc on >>> the website for Tomcat 6 and Tomcat 7. >> >> And Tomcat 5 and earlier. The javadoc for those isn't linked but remains >> available. >> >> I'll get on to this now. >> >>> 2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or >>> better. >> >> Hmm. That will need some thought as the build needs to be run with the >> minimum Java version required for that major version. Maybe we can just run >> the Javadoc part with a different JDK. Either that, or run the fix tool over >> the result. This needs some investigation.
I'd recommend running the fix tool after running javadoc; it's quick and the license looks OK to include in an SVN build tools area. It's not just that you have to use Java 7, you have to use Java 7 u25 or later. Can that be detected reliably? > As long as Ant knows where to find the JDK (environmental variable or > something) it can generate Javadoc with Java 7 while Ant runs with Java 5/6. > Ant does not have to run with Java 7. See the Ant documentation for the > Javadoc task [1], refer to the "executable" attribute. By default Ant looks > for "javadoc" in the same JDK Ant as running under, but you can specify a > path to a different JDK using the executable attribute. Only downside is that > the building instructions will have to say that Java _ /and/ Java 7u25 are > required to build, and that a certain environmental variable has to exist > pointing to the JDK7 installation. Might be best to make this "conditional" > so that it falls back to the default if it can't find Java 7 (makes it easier > for home builders). > > [1] http://ant.apache.org/manual/Tasks/javadoc.html > >> >>> There will be no fix for Java 5 or 6. Thankfully, generating >>> Javadoc using a different JDK than you used to compile is quite easy >>> in both Maven and Ant. In fact, I personally prefer it that way, >>> because the Javadoc is much more visually attractive in Java 7. >> >> Hopefully it will be as simple as you suggest. >> >>> I will file an issue about this two, but I wanted to go ahead and >>> make the list aware. >> >> Thanks, >> >> Mark >> >> >>> Nick >>> >>> [1] >>> http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html >>> >>> >> [2] http://www.kb.cert.org/vuls/id/225657 >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org