| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAE6O_-ZzFq5ZyrrWonQaFEQi+7tpb94M4DFJF6tD6oBxekM88A@mail.gmail.com> Date: Fri, 20 Nov 2015 11:46:54 -0800 From: Shazron <shazron@...che.org> To: bugtraq@...urityfocus.com Subject: Fwd: CVE-2015-5257 - Weak Randomization of BridgeSecret for Apache Cordova Android ---------- Forwarded message ---------- From: Joe Bowser <bowserj@...il.com> Date: Fri, Nov 20, 2015 at 11:39 AM Subject: CVE-2015-5257 - Weak Randomization of BridgeSecret for Apache Cordova Android To: DAVIDKA@...ibm.com, Roee Hay <ROEEH@...ibm.com>, "private@...dova.apache.org" <private@...dova.apache.org>, dev <dev@...dova.apache.org>, "security@...che.org" <security@...che.org>, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com =================================================================== CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android Severity: Low Vendor: The Apache Software Foundation Versions Affected: Cordova Android versions up to and including 3.6.4 Description: Cordova uses a bridge that allows the Native Application to communicate with the HTML and Javascript that control the user interface. To protect this bridge on Android, the framework uses a BridgeSecret to protect it from third-party hijacking. However, the BridgeSecret is not sufficiently random and can be determined in certain scenarios. Upgrade Path: Developers who are concerned about this issue should rebuild their applications with Cordova Android 4.1.1 or later. Version 3.7.1 and later do not contain this vulnerability. Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research Team.
Powered by blists - more mailing lists