cordova-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From csantan...@apache.org
Subject docs commit: updating security update for CV 2015-11-20
Date Sun, 13 Mar 2016 00:27:02 GMT
Repository: cordova-docs
Updated Branches:
  refs/heads/master a1b3b7457 -> 28676135e


updating security update for CV 2015-11-20


Project: http://git-wip-us.apache.org/repos/asf/cordova-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-docs/commit/28676135
Tree: http://git-wip-us.apache.org/repos/asf/cordova-docs/tree/28676135
Diff: http://git-wip-us.apache.org/repos/asf/cordova-docs/diff/28676135

Branch: refs/heads/master
Commit: 28676135ebc9fba9ec1ee6a09b81f3877653a570
Parents: a1b3b74
Author: Carlos Santana <csantana23@gmail.com>
Authored: Sat Mar 12 19:26:55 2016 -0500
Committer: Carlos Santana <csantana23@gmail.com>
Committed: Sat Mar 12 19:26:55 2016 -0500

----------------------------------------------------------------------
 www/_posts/2015-11-20-security.md | 33 +++++++++++++++++++--------------
 1 file changed, 19 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cordova-docs/blob/28676135/www/_posts/2015-11-20-security.md
----------------------------------------------------------------------
diff --git a/www/_posts/2015-11-20-security.md b/www/_posts/2015-11-20-security.md
index 0089a39..a0813ee 100644
--- a/www/_posts/2015-11-20-security.md
+++ b/www/_posts/2015-11-20-security.md
@@ -8,13 +8,18 @@ categories: announcements
 tags: news releases security
 ---
 
-Two older vulerabilities were brought to our attention, and while we found that they were
fixed in later versions of Cordova, we are required to announce these
-vulnerabilities, and to encourage users to upgrade to a supported version of Cordova, the
lowest stable version currently being Android 4.1.0.  We are no longer supporting
-Cordova-Android 3.x due to security issues related to the legacy whitelist implementation,
and we recommend that users upgrade to Cordova Android 5.0.x for Marshmallow support.
+*Updated 02/20/2016*
 
-When using the Cordova CLI, the command to use 4.1.0 of Cordova Android is:
+Apache Cordova has re-visited CVE-2015-5256 "Apache Cordova vulnerable to improper application
of whitelist restrictions on Android”. Upon further investigation we found that the vulnerability
is more limited than was previously understood.
+We are lowering the severity to Low, and updating the description, affected versions, and
upgrade path.
+
+CVE-2015-5257 continues to be a valid vulnerability present in Cordova 3.6.4 and this is
fixed in later versions of Cordova, and we want to encourage users 
+to upgrade to 4.1.1 and for users needing to support Marshmallow (API 23+) we recommend to
upgrade to Cordova Android 5.1.x.
+
+When using the Cordova CLI, the command to use 4.1.1 or 5.1.0 of Cordova Android is:
 
     cordova platform add android@4.1.0
+    cordova platform add android@5.1.0
 
 The security issues are CVE-2015-5256 and CVE-2015-5257
 
@@ -24,26 +29,25 @@ For your convenience, the text of the CVEs are included here.
 
 ____
 
-CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist restrictions
on Android
+*Updated 02/20/2016*
 
-Severity: Medium
+CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist restrictions
on Android
 
-Vendor:
-The Apache Software Foundation
+Severity: Low
 
 Versions Affected:
-Cordova Android 3.7.2 and earlier
+Cordova Android with whitelist functionality
 
 Description:
-Android applications created using Apache Cordova that use a remote server contain a vulnerability
where whitelist restrictions are not properly applied.
-Improperly crafted URIs could be used to circumvent the whitelist, allowing for the execution
of non-whitelisted Javascript.
+
+Android applications created using Apache Cordova that use a remote server contain a vulnerability
where whitelist restrictions for urls using protocols http and https are not properly applied.
 Whitelist cannot block network redirects from a whitelisted remote website to a non-whitelisted
website.
 
 Upgrade path:
-Developers who are concerned about this should rebuild their applications with Cordova Android
4.1.1.  Developers using remote content roots should also
-use SSL, as well as Content Source Policy to further mitigate this issue.
 
-Credit: Muneaki Nishimura of Sony Digital Network Applications, Inc
+There is no specific software patch for this vulnerability. Developers that are concerned
about this should make sure to only whitelist trusted websites, and make sure that whitelisted
websites don’t redirect to a malicious website. 
+Developers should also use SSL, as well as Content Security Policy(CSP) to further mitigate
this issue. It’s always recommended for developers to upgrade to the latest version of Cordova
Android.
 
+Credit: Muneaki Nishimura of Sony Digital Network Applications, Inc
 ____
 
 CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android
@@ -62,6 +66,7 @@ Cordova uses a bridge that allows the Native Application to communicate
with the
 framework uses a BridgeSecret to protect it from third-party hijacking.  However, the BridgeSecret
is not sufficiently random and can be determined in certain scenarios.
 
 Upgreade Path:
+
 Developers who are concerned about this issue should rebuild their applications with Cordova
Android 4.1.1 or later.  Versions after 3.6.4 do not contain this vulnerability.
 
 Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research Team


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org


Mime
View raw message