Bug 55119 - Change Javadoc generation per CVE-2013-1571, VU#225657
Summary: Change Javadoc generation per CVE-2013-1571, VU#225657
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 6.0.37
Hardware: All All
: P2 normal (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-18 23:43 UTC by Nick Williams
Modified: 2014-01-13 14:15 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Williams 2013-06-18 23:43:42 UTC
Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java 7 < 7u25 is vulnerable to a frame injection attack. Oracle has provided a repair-in-place tool for Javadoc that cannot be easily regenerated, but is urging developers to regenerate whatever Javadoc they can using Java 7u25. For all practical purses, the vulnerability really only applies to publicly-hosted Javadoc, so the Javadoc in our existing Maven artifacts, downloads, and archived downloads really doesn't have to be worried about (not that we could do anything about it). My thoughts on this:

1) We should apply the repair-in-place tool ASAP to the Javadoc on the website for Tomcat 6 and Tomcat 7.

2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or better. There will be no fix for Java 5 or 6. Thankfully, generating Javadoc using a different JDK than you used to compile is quite easy in both Maven and Ant. In fact, I personally prefer it that way, because the Javadoc is much more visually attractive in Java 7.

I will file an issue about this two, but I wanted to go ahead and make the list aware.

Nick

[1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
[2] http://www.kb.cert.org/vuls/id/225657
Comment 1 Mark Thomas 2013-06-23 19:25:54 UTC
Reducing severity to normal. There is nothing here that is going to trigger a release.

This has not and will not be fixed in trunk. Tomcat 8 builds with Java 7 and can use a fixed JDK.

This has been fixed for 7.0.x and will be included in 7.0.42 onwards. The fix is based on https://issues.apache.org/jira/browse/LUCENE-5072.
Comment 2 Mark Thomas 2014-01-13 14:15:39 UTC
Fixed in 6.0.x for 6.0.38 onwards.