ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <>
Subject Cutting a Release because of the Javadoc Vulnerability?
Date Fri, 05 Jul 2013 14:35:27 GMT
Hi all,

as you most probably know Oracle's javadoc tool prior to Java 7u25
creates javadocs with a frame injection vulnerability - see 
CVE-2013-1571, VU#225657 for details.

The javadoc task in trunk contains a patch based on code by Uwe
Schindler of the Lucene community that postprocesses javadoc's output,
identifies vulnerable pages and fixes them.

This is similar to the patch applied to Maven's javadoc plugin which led
to their version 2.9.1.

Do we want to cut an Ant release to help Ant users to get around the
vulnerability or is the macrodef I've added to the online manual enough
in our view?

If enough people think we should cut a release then I guess I'm
volunteering to be the RM.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message