You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cordova.apache.org by Ian Clelland <ic...@chromium.org> on 2014/03/04 15:07:36 UTC
Security releases this morning
Hello everyone,
This morning, we released new versions of several plugins, containing a
number of improvements and bug fixes.
Two of these plugins contain important security patches, and we're
recommending that anyone using them upgrade their plugins immediately.
File-Transfer used an insecure default setting on iOS, which could allow an
insecure SSL certificate to be accepted as valid when uploading or
downloading files.
In-App-Browser on iOS contains an exploit that could allow a malicious site
to execute JavaScript in the context of the Cordova application.
Both plugins have been updated, and the latest versions on git and at
plugins.cordova.io have been patched.
I've posted the vulnerability notices to this list, as well as bugtraq,
full-disclosure, and the Apache security list.
We'd like to thank Neil Bergman of Cigital Inc. for finding these issues,
and working with us to resolve them quickly.
Re: Security releases this morning
Posted by Shazron <sh...@gmail.com>.
Thanks Ian for doing the posts! I'll notify the PhoneGap Google Group as
well (will just post a link to your posts).
On Tue, Mar 4, 2014 at 6:07 AM, Ian Clelland <ic...@chromium.org> wrote:
> Hello everyone,
>
> This morning, we released new versions of several plugins, containing a
> number of improvements and bug fixes.
>
> Two of these plugins contain important security patches, and we're
> recommending that anyone using them upgrade their plugins immediately.
>
> File-Transfer used an insecure default setting on iOS, which could allow an
> insecure SSL certificate to be accepted as valid when uploading or
> downloading files.
>
> In-App-Browser on iOS contains an exploit that could allow a malicious site
> to execute JavaScript in the context of the Cordova application.
>
> Both plugins have been updated, and the latest versions on git and at
> plugins.cordova.io have been patched.
>
> I've posted the vulnerability notices to this list, as well as bugtraq,
> full-disclosure, and the Apache security list.
>
> We'd like to thank Neil Bergman of Cigital Inc. for finding these issues,
> and working with us to resolve them quickly.
>