cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michal Mocny <mmo...@chromium.org>
Subject Re: Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility of releasing a 2.7-based patched version
Date Thu, 02 Oct 2014 15:40:02 GMT
Steve, it is not feasible for us to patch 2.x (sorry), as the number of
vulnerabilities there is larger than just this issue.  It really is in your
best interests to migrate (and to continue to keep up with changes going
forward).  However, we can see what we can do about helping to guide you
forward here.

Ian got this email yesterday as well for an app he published a while ago.
Perhaps we should put up instructions for the potential flood of devs
asking "How do I upgrade"?  Even if it is just organizing and pointing at
our old 2.x -> 3.0 guides.

-Michal

On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bowserj@gmail.com> wrote:

> No, you should upgrade to 3.5.1.  We have dropped support for Cordova 2.x
> months ago, and we recommend upgrading.
>
> On Thu, Oct 2, 2014 at 7:33 AM, <Steve.Wilson@bentley.com> wrote:
>
> > We have released applications in the Google Play store based on Cordova
> > 2.7.0 and have received notification from Google that these apps are
> > vulnerable to an Android Cordova security issue (
> > http://cordova.apache.org/announcements/2014/08/04/android-351.html).
> >
> > Upgrading to Cordova 3.5.1 would require significant work on our part. Is
> > there any possibility that you can release a patched Cordova Android
> > version based on 2.7 that would fix this security vulnerability?
> >
> > Please let me know whether you think this would be possible on your part.
> > Thank you!
> >
> > Thanks,
> > Steve Wilson
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message