Thanks Ian for doing the posts! I'll notify the PhoneGap Google Group as well (will just post a link to your posts).
On Tue, Mar 4, 2014 at 6:07 AM, Ian Clelland <[email protected]> wrote: > Hello everyone, > > This morning, we released new versions of several plugins, containing a > number of improvements and bug fixes. > > Two of these plugins contain important security patches, and we're > recommending that anyone using them upgrade their plugins immediately. > > File-Transfer used an insecure default setting on iOS, which could allow an > insecure SSL certificate to be accepted as valid when uploading or > downloading files. > > In-App-Browser on iOS contains an exploit that could allow a malicious site > to execute JavaScript in the context of the Cordova application. > > Both plugins have been updated, and the latest versions on git and at > plugins.cordova.io have been patched. > > I've posted the vulnerability notices to this list, as well as bugtraq, > full-disclosure, and the Apache security list. > > We'd like to thank Neil Bergman of Cigital Inc. for finding these issues, > and working with us to resolve them quickly. >
