Uploaded image for project: 'Maven Javadoc Plugin'
  1. Maven Javadoc Plugin
  2. MJAVADOC-370

Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2])


    • Type: Improvement
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.9.1
    • Component/s: None
    • Labels:


      As per the Maven dev list:

      I expect you have all see the news about the Javadoc javascript bug.

      It's going to take a long time for everyone to update their Java
      installations to Java 1.7 u25. Likewise for builds that need to use
      other Java versions, tweaking poms so Java 7 is used for Javadocs
      whilst still maintaining compatibility is a non-trivial task.

      Is there any interest in releasing a "quick-fix" version of the
      javadoc plugin that automatically runs the tool after Javadoc

      The fix code is in Java, and can easily be directly called from the
      plugin (no need to start a new process).

      The license looks friendly so long as the code is only used for
      Javadoc fixups, and changes are allowed, which is just as well -

      There are a couple of bugs in the tool as currently released.
      It does not close all the resources; and failure to close the input
      file means it cannot delete the original input file on Windows; that
      needs to be fixed as it would not make sense to keep the old faulty
      file (even if it is now called index.html.orig).

      I can provide details of the fixes, but a decent IDE will probably
      warn about them anyway.

      It would be a great service to the Java community if this could be fast-tracked.

      [1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html




            • Assignee:
              olamy Olivier Lamy (*$^¨%`£)
              sebb@apache.org Sebb
            • Votes:
              2 Vote for this issue
              6 Start watching this issue


              • Created: