Maven Javadoc Plugin
  1. Maven Javadoc Plugin
  2. MJAVADOC-370

Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2])

    Details

    • Type: Improvement Improvement
    • Status: Closed Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.9.1
    • Labels:
      None
    • Number of attachments :
      1

      Description

      As per the Maven dev list:

      I expect you have all see the news about the Javadoc javascript bug.

      It's going to take a long time for everyone to update their Java
      installations to Java 1.7 u25. Likewise for builds that need to use
      other Java versions, tweaking poms so Java 7 is used for Javadocs
      whilst still maintaining compatibility is a non-trivial task.

      Is there any interest in releasing a "quick-fix" version of the
      javadoc plugin that automatically runs the tool after Javadoc
      completes?

      The fix code is in Java, and can easily be directly called from the
      plugin (no need to start a new process).

      The license looks friendly so long as the code is only used for
      Javadoc fixups, and changes are allowed, which is just as well -

      There are a couple of bugs in the tool as currently released.
      It does not close all the resources; and failure to close the input
      file means it cannot delete the original input file on Windows; that
      needs to be fixed as it would not make sense to keep the old faulty
      file (even if it is now called index.html.orig).

      I can provide details of the fixes, but a decent IDE will probably
      warn about them anyway.

      It would be a great service to the Java community if this could be fast-tracked.

      [1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
      [2]http://www.kb.cert.org/vuls/id/225657

        Activity

        Hide
        Olivier Lamy added a comment -

        @sebb good remark. I changed it.
        Thanks!

        Show
        Olivier Lamy added a comment - @sebb good remark. I changed it. Thanks!
        Hide
        Uwe Schindler (ASF) added a comment -

        Hi,
        I just wanted to confirm that the auto-patching also works with IBM J9 6, IBM J9 7, and jRockit 6 (tested on Lucene's ANT task but the algorithm here is the same). Those JDKs produce identical javascript and are vulnerable like Oracle's original.
        Uwe

        Show
        Uwe Schindler (ASF) added a comment - Hi, I just wanted to confirm that the auto-patching also works with IBM J9 6, IBM J9 7, and jRockit 6 (tested on Lucene's ANT task but the algorithm here is the same). Those JDKs produce identical javascript and are vulnerable like Oracle's original. Uwe
        Hide
        Uwe Schindler (ASF) added a comment -

        FYI, for ANT users I filed a similar issue: https://issues.apache.org/bugzilla/show_bug.cgi?id=55132

        Show
        Uwe Schindler (ASF) added a comment - FYI, for ANT users I filed a similar issue: https://issues.apache.org/bugzilla/show_bug.cgi?id=55132
        Hide
        Uwe Schindler (ASF) added a comment -

        Shouldn't the Apache Root POM not be updated ASAP to prevent any more security leaks? http://repo1.maven.org/maven2/org/apache/apache/13/apache-13.pom

        Show
        Uwe Schindler (ASF) added a comment - Shouldn't the Apache Root POM not be updated ASAP to prevent any more security leaks? http://repo1.maven.org/maven2/org/apache/apache/13/apache-13.pom
        Hide
        SebbASF added a comment -
        Show
        SebbASF added a comment - +1 Created https://issues.apache.org/jira/browse/MPOM-46

          People

          • Assignee:
            Olivier Lamy
            Reporter:
            SebbASF
          • Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: