Return-Path: 
 <dev-return-38804-apmail-cordova-dev-archive=cordova.apache.org@cordova.apache.org>
X-Original-To: apmail-cordova-dev-archive@www.apache.org
Delivered-To: apmail-cordova-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 4FBC417428
	for <apmail-cordova-dev-archive@www.apache.org>;
 Thu,  2 Oct 2014 15:41:33 +0000 (UTC)
Received: (qmail 10399 invoked by uid 500); 2 Oct 2014 15:41:33 -0000
Delivered-To: apmail-cordova-dev-archive@cordova.apache.org
Received: (qmail 10365 invoked by uid 500); 2 Oct 2014 15:41:32 -0000
Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cordova.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cordova.apache.org>
List-Post: <mailto:dev@cordova.apache.org>
List-Id: <dev.cordova.apache.org>
Reply-To: dev@cordova.apache.org
Delivered-To: mailing list dev@cordova.apache.org
Received: (qmail 10352 invoked by uid 99); 2 Oct 2014 15:41:32 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Oct 2014 15:41:32 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of agrieve@google.com designates
 209.85.214.169 as permitted sender)
Received: from [209.85.214.169] (HELO mail-ob0-f169.google.com)
 (209.85.214.169)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Oct 2014 15:41:28 +0000
Received: by mail-ob0-f169.google.com with SMTP id m8so2447094obr.14
        for <dev@cordova.apache.org>; Thu, 02 Oct 2014 08:41:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=bMsfFvz0IEZk1X86oHik3MEVULEdnGbM3v0zLEcezIM=;
        b=AQGgqVZykFJq2M53bg5En3SAqxQAfS2x1Kln/UQJyDQyeSaRnCM5sjSf6Xse0zHKhY
         b+voad7Gz6XA6j0bCVfowoKYcQPWzSYlOhddgqsjC0FctjvYajmlQLG5UGUDz0UQ9UpG
         C8T5RgcEMhFofydxeD2bOc99/t9KPiYmP7kiCj45kelTM9A8lWWFJMnj8XHPsyycGX2g
         yyZIe+xKQITqhAlDXx9/PYWmGGOxT8GFX0ZA1UywtVxqMNFgmv/8HYEa7Y7lAoyYYJJF
         v7okdal6JdQtxstncVMzjFarHWAymkR8bb9Uc+ZJ2krLD+n4W9jN6m7Q2u6bdSGL5avX
         qiwQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=bMsfFvz0IEZk1X86oHik3MEVULEdnGbM3v0zLEcezIM=;
        b=R4rhc9xuYLqX081pLrvBLd6CgEeu3miQFJ9tcebPH2RvdbSav2JvxwDjBlarx721uc
         CTIKKGtLKNsqQg1gPEEo3f4Q494tSCOxLLtT7IxBoMiRQsOPlH0KEe3MWeAOJjlI1skk
         3V62g9h6bTxQQSGU7I5C0x/M8NTrRLU80kQsY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:content-type;
        bh=bMsfFvz0IEZk1X86oHik3MEVULEdnGbM3v0zLEcezIM=;
        b=RRFv0KO23+4rr4qQvMOa1rZ+JoITx0nyQI++go+Qahv1YAUktZKQCOxntZeo0NIIIy
         Q09qbLxc/D3NeHwVh+cQn1ygewARvddshJwbrEPJOWLVjLYkmmsY1CsRCXJzqJFI27m8
         RTxzlOPt5iYytlFPErhyNs3iD8DJI0j2rkhDlnrjrPg6zOFVzmIK8HtrrfZ4qYhfc4kT
         blUE5BoUWtBDu55UjgP/nbaPncUlvFRhkEQJ0Yf02TkSum3uRI9SXJ3D8cXqopTItCdt
         p2wZHLMo2mDRFOWCZMN/lFozSB1S0H5HT1ZLyyfO8+w3ZWpGIkknj+TUJPbuufBtLg0j
         XeQA==
X-Gm-Message-State: 
 ALoCoQly9i/ACHIbvREt0rwHsGb0ZuEF88mqEVWwiuXr31DPhlZSwzI5WsCj0w42l1ttVx3SQy6L
X-Received: by 10.182.133.104 with SMTP id pb8mr65168140obb.37.1412264468094;
 Thu, 02 Oct 2014 08:41:08 -0700 (PDT)
MIME-Version: 1.0
Sender: agrieve@google.com
Received: by 10.182.98.165 with HTTP; Thu, 2 Oct 2014 08:40:48 -0700 (PDT)
In-Reply-To: 
 <CAOBL_k4fxp=BmUX7qBZPj9dyGrMaZWF-BB=t3uQt+dgrNkgoOA@mail.gmail.com>
References: <0f45f8a3e4044216a15a0d90d51645cf@extprdex03.bentley.com>
 <CAOBL_k4fxp=BmUX7qBZPj9dyGrMaZWF-BB=t3uQt+dgrNkgoOA@mail.gmail.com>
From: Andrew Grieve <agrieve@chromium.org>
Date: Thu, 2 Oct 2014 11:40:48 -0400
X-Google-Sender-Auth: sfaeiioklCW5rjkuoPYMnvsbEZ4
Message-ID: 
 <CABiQX1UX0oLhNxT-uo9G7kqX4rtmzwjtbyZEQ0zj5NxQN-Qjbg@mail.gmail.com>
Subject: Re: Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility
 of releasing a 2.7-based patched version
To: dev <dev@cordova.apache.org>, iclelland <iclelland@chromium.org>,
	Joe Bowser <jbowser@adobe.com>
Content-Type: multipart/alternative; boundary=e89a8ff1ce22f338bc050472710d
X-Virus-Checked: Checked by ClamAV on apache.org

--e89a8ff1ce22f338bc050472710d
Content-Type: text/plain; charset=UTF-8

That said, the relevant patch is here:

https://github.com/apache/cordova-android/commit/2ab81bc5aeb575fef3657cf48a671607e81ca37d

(Ian / Joe, please correct me if there's more than that)



On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bowserj@gmail.com> wrote:

> No, you should upgrade to 3.5.1.  We have dropped support for Cordova 2.x
> months ago, and we recommend upgrading.
>
> On Thu, Oct 2, 2014 at 7:33 AM, <Steve.Wilson@bentley.com> wrote:
>
> > We have released applications in the Google Play store based on Cordova
> > 2.7.0 and have received notification from Google that these apps are
> > vulnerable to an Android Cordova security issue (
> > http://cordova.apache.org/announcements/2014/08/04/android-351.html).
> >
> > Upgrading to Cordova 3.5.1 would require significant work on our part. Is
> > there any possibility that you can release a patched Cordova Android
> > version based on 2.7 that would fix this security vulnerability?
> >
> > Please let me know whether you think this would be possible on your part.
> > Thank you!
> >
> > Thanks,
> > Steve Wilson
> >
>

--e89a8ff1ce22f338bc050472710d--