Flume
  1. Flume
  2. FLUME-2103

Change Javadoc generation per CVE-2013-1571, VU#225657

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: v1.3.1
    • Fix Version/s: None
    • Component/s: Docs
    • Labels:
      None

      Description

      Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java 7 < 7u25 is vulnerable to a frame injection attack. Oracle has provided a repair-in-place tool for Javadoc that cannot be easily regenerated, but is urging developers to regenerate whatever Javadoc they can using Java 7u25. For all practical purposes, the vulnerability really only applies to publicly-hosted Javadoc, so the Javadoc in our existing Maven artifacts really doesn't have to be worried about (not that we could do anything about it).

      [1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
      [2] http://www.kb.cert.org/vuls/id/225657

        Issue Links

          Activity

          Hide
          Ralph Goers added a comment -

          The live site has been patched.

          Show
          Ralph Goers added a comment - The live site has been patched.

            People

            • Assignee:
              Unassigned
              Reporter:
              Ralph Goers
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Development