Repository: cordova-docs Updated Branches: refs/heads/master 04aa49086 -> 0ea960955
CB-10843 Fixing typo. Project: http://git-wip-us.apache.org/repos/asf/cordova-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/cordova-docs/commit/0ea96095 Tree: http://git-wip-us.apache.org/repos/asf/cordova-docs/tree/0ea96095 Diff: http://git-wip-us.apache.org/repos/asf/cordova-docs/diff/0ea96095 Branch: refs/heads/master Commit: 0ea96095569a8ba78e006152438d529be2698809 Parents: 04aa490 Author: Dmitry Blotsky <dmitry.blot...@gmail.com> Authored: Wed Apr 6 18:59:03 2016 -0700 Committer: Dmitry Blotsky <dmitry.blot...@gmail.com> Committed: Wed Apr 6 18:59:03 2016 -0700 ---------------------------------------------------------------------- www/_posts/2015-11-20-security.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cordova-docs/blob/0ea96095/www/_posts/2015-11-20-security.md ---------------------------------------------------------------------- diff --git a/www/_posts/2015-11-20-security.md b/www/_posts/2015-11-20-security.md index a0813ee..51126c2 100644 --- a/www/_posts/2015-11-20-security.md +++ b/www/_posts/2015-11-20-security.md @@ -3,7 +3,7 @@ layout: post author: name: Joe Bowser url: https://twitter.com/infil00p -title: "CVE annoucements for Cordova-Android" +title: "CVE announcements for Cordova-Android" categories: announcements tags: news releases security --- @@ -13,7 +13,7 @@ tags: news releases security Apache Cordova has re-visited CVE-2015-5256 "Apache Cordova vulnerable to improper application of whitelist restrictions on Androidâ. Upon further investigation we found that the vulnerability is more limited than was previously understood. We are lowering the severity to Low, and updating the description, affected versions, and upgrade path. -CVE-2015-5257 continues to be a valid vulnerability present in Cordova 3.6.4 and this is fixed in later versions of Cordova, and we want to encourage users +CVE-2015-5257 continues to be a valid vulnerability present in Cordova 3.6.4 and this is fixed in later versions of Cordova, and we want to encourage users to upgrade to 4.1.1 and for users needing to support Marshmallow (API 23+) we recommend to upgrade to Cordova Android 5.1.x. When using the Cordova CLI, the command to use 4.1.1 or 5.1.0 of Cordova Android is: @@ -44,7 +44,7 @@ Android applications created using Apache Cordova that use a remote server conta Upgrade path: -There is no specific software patch for this vulnerability. Developers that are concerned about this should make sure to only whitelist trusted websites, and make sure that whitelisted websites donât redirect to a malicious website. +There is no specific software patch for this vulnerability. Developers that are concerned about this should make sure to only whitelist trusted websites, and make sure that whitelisted websites donât redirect to a malicious website. Developers should also use SSL, as well as Content Security Policy(CSP) to further mitigate this issue. Itâs always recommended for developers to upgrade to the latest version of Cordova Android. Credit: Muneaki Nishimura of Sony Digital Network Applications, Inc @@ -62,7 +62,7 @@ Cordova Android versions up to 3.6.4 Description: -Cordova uses a bridge that allows the Native Application to communicate with the HTML and Javascript that control the user interface. To protect this bridge on Android, the +Cordova uses a bridge that allows the Native Application to communicate with the HTML and Javascript that control the user interface. To protect this bridge on Android, the framework uses a BridgeSecret to protect it from third-party hijacking. However, the BridgeSecret is not sufficiently random and can be determined in certain scenarios. Upgreade Path: --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cordova.apache.org For additional commands, e-mail: commits-h...@cordova.apache.org
