The Apache Infra / Security team posted to all committers:
Oracle has announced ,  a frame injection vulnerability in Javadoc generated by Java 5, Java 6 and Java 7 before update 22.
Please take the necessary steps to fix any currently published Javadoc and to ensure that any future Javadoc published by your project does not contain the vulnerability. The announcement by Oracle includes a link to a tool that can be used to fix Javadoc without regeneration.
The infrastructure team is investigating options for preventing the publication of vulnerable Javadoc.
The issue is public and may be discussed freely on your project's dev list.
Mark (ASF Infra)
For the moment, due a bug with multiple reports (see http://jira.codehaus.org/browse/MSHARED-271 for further details), our site only is affected by one instance.
The buildbot+maven environment still uses Java6, so all the workaround in the maven plugin (https://jira.codehaus.org/browse/MJAVADOC-370) wouldn't be enough...