cordova-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bows...@apache.org
Subject docs commit: Posting advisories
Date Fri, 20 Nov 2015 22:38:51 GMT
Repository: cordova-docs
Updated Branches:
  refs/heads/master a5361d0e5 -> 81b7245cf


Posting advisories


Project: http://git-wip-us.apache.org/repos/asf/cordova-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-docs/commit/81b7245c
Tree: http://git-wip-us.apache.org/repos/asf/cordova-docs/tree/81b7245c
Diff: http://git-wip-us.apache.org/repos/asf/cordova-docs/diff/81b7245c

Branch: refs/heads/master
Commit: 81b7245cfd8984219b69b392cafda1d034297a11
Parents: a5361d0
Author: Joe Bowser <bowserj@apache.org>
Authored: Fri Nov 20 11:39:23 2015 -0800
Committer: Joe Bowser <bowserj@apache.org>
Committed: Fri Nov 20 14:38:44 2015 -0800

----------------------------------------------------------------------
 www/_posts/2015-11-20-security.md | 67 ++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cordova-docs/blob/81b7245c/www/_posts/2015-11-20-security.md
----------------------------------------------------------------------
diff --git a/www/_posts/2015-11-20-security.md b/www/_posts/2015-11-20-security.md
new file mode 100644
index 0000000..0089a39
--- /dev/null
+++ b/www/_posts/2015-11-20-security.md
@@ -0,0 +1,67 @@
+---
+layout: post
+author:
+    name: Joe Bowser
+    url: https://twitter.com/infil00p
+title:  "CVE annoucements for Cordova-Android"
+categories: announcements
+tags: news releases security
+---
+
+Two older vulerabilities were brought to our attention, and while we found that they were
fixed in later versions of Cordova, we are required to announce these
+vulnerabilities, and to encourage users to upgrade to a supported version of Cordova, the
lowest stable version currently being Android 4.1.0.  We are no longer supporting
+Cordova-Android 3.x due to security issues related to the legacy whitelist implementation,
and we recommend that users upgrade to Cordova Android 5.0.x for Marshmallow support.
+
+When using the Cordova CLI, the command to use 4.1.0 of Cordova Android is:
+
+    cordova platform add android@4.1.0
+
+The security issues are CVE-2015-5256 and CVE-2015-5257
+
+For your convenience, the text of the CVEs are included here.
+
+<!--more-->
+
+____
+
+CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist restrictions
on Android
+
+Severity: Medium
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Cordova Android 3.7.2 and earlier
+
+Description:
+Android applications created using Apache Cordova that use a remote server contain a vulnerability
where whitelist restrictions are not properly applied.
+Improperly crafted URIs could be used to circumvent the whitelist, allowing for the execution
of non-whitelisted Javascript.
+
+Upgrade path:
+Developers who are concerned about this should rebuild their applications with Cordova Android
4.1.1.  Developers using remote content roots should also
+use SSL, as well as Content Source Policy to further mitigate this issue.
+
+Credit: Muneaki Nishimura of Sony Digital Network Applications, Inc
+
+____
+
+CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android
+
+Severity: Low
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Cordova Android versions up to 3.6.4
+
+Description:
+
+Cordova uses a bridge that allows the Native Application to communicate with the HTML and
Javascript that control the user interface.  To protect this bridge on Android, the 
+framework uses a BridgeSecret to protect it from third-party hijacking.  However, the BridgeSecret
is not sufficiently random and can be determined in certain scenarios.
+
+Upgreade Path:
+Developers who are concerned about this issue should rebuild their applications with Cordova
Android 4.1.1 or later.  Versions after 3.6.4 do not contain this vulnerability.
+
+Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research Team


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org


Mime
View raw message