2013/6/19 sebb <seb...@gmail.com>: > On 19 June 2013 13:12, sebb <seb...@gmail.com> wrote: >> On 19 June 2013 13:03, Nick Williams <nicho...@nicholaswilliams.net> wrote: >>> >>> On Jun 19, 2013, at 3:15 AM, Mark Thomas wrote: >>> >>>> On 19/06/2013 00:42, Nick Williams wrote: >>>>> Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], >>>>> VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java >>>>> 7 < 7u25 is vulnerable to a frame injection attack. Oracle has >>>>> provided a repair-in-place tool for Javadoc that cannot be easily >>>>> regenerated, but is urging developers to regenerate whatever Javadoc >>>>> they can using Java 7u25. For all practical purses, the vulnerability >>>>> really only applies to publicly-hosted Javadoc, so the Javadoc in our >>>>> existing Maven artifacts, downloads, and archived downloads really >>>>> doesn't have to be worried about (not that we could do anything about >>>>> it). My thoughts on this: >>>>> >>>>> 1) We should apply the repair-in-place tool ASAP to the Javadoc on >>>>> the website for Tomcat 6 and Tomcat 7. >>>> >>>> And Tomcat 5 and earlier. The javadoc for those isn't linked but remains >>>> available. >>>> >>>> I'll get on to this now. >>>> >>>>> 2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or >>>>> better. >>>> >>>> Hmm. That will need some thought as the build needs to be run with the >>>> minimum Java version required for that major version. Maybe we can just >>>> run the Javadoc part with a different JDK. Either that, or run the fix >>>> tool over the result. This needs some investigation. >> >> I'd recommend running the fix tool after running javadoc; it's quick >> and the license looks OK to include in an SVN build tools area. >> >> It's not just that you have to use Java 7, you have to use Java 7 u25 or >> later. >> Can that be detected reliably? > > Just to make it more fun, the javadoc tool does not display its version... >
>javadoc.exe -J-version java version "1.7.0_21" Java(TM) SE Runtime Environment (build 1.7.0_21-b11) Java HotSpot(TM) Client VM (build 23.21-b01, mixed mode, sharing) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
