lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 20 Nov 2015 11:46:54 -0800
From: Shazron <shazron@...che.org>
To: bugtraq@...urityfocus.com
Subject: Fwd: CVE-2015-5257 - Weak Randomization of BridgeSecret for Apache
 Cordova Android

---------- Forwarded message ----------
From: Joe Bowser <bowserj@...il.com>
Date: Fri, Nov 20, 2015 at 11:39 AM
Subject: CVE-2015-5257 - Weak Randomization of BridgeSecret for Apache
Cordova Android
To: DAVIDKA@...ibm.com, Roee Hay <ROEEH@...ibm.com>,
"private@...dova.apache.org" <private@...dova.apache.org>, dev
<dev@...dova.apache.org>, "security@...che.org" <security@...che.org>,
oss-security@...ts.openwall.com, bugtraq@...urityfocus.com


===================================================================
CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Cordova Android versions up to and including 3.6.4

Description:

Cordova uses a bridge that allows the Native Application to communicate
with the HTML and Javascript that control the user interface.  To protect
this bridge on Android, the
framework uses a BridgeSecret to protect it from third-party hijacking.
However, the BridgeSecret is not sufficiently random and can be determined
in certain scenarios.

Upgrade Path:
Developers who are concerned about this issue should rebuild their
applications with Cordova Android 4.1.1 or later.  Version 3.7.1 and later
do not contain this vulnerability.

Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research
Team.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ