Author: janpio Date: Mon Nov 30 18:07:13 2020 New Revision: 1883957 URL: http://svn.apache.org/viewvc?rev=1883957&view=rev Log: Updated docs
Added: cordova/site/public/2020/ cordova/site/public/2020/11/ cordova/site/public/2020/11/30/ cordova/site/public/2020/11/30/cve-2020-11990.html Modified: cordova/site/public/announcements/2020/10/02/cordova-electron-release-2.0.0.html cordova/site/public/blog/index.html cordova/site/public/feed.xml cordova/site/public/sitemap.xml cordova/site/public/static/js/index.js Added: cordova/site/public/2020/11/30/cve-2020-11990.html URL: http://svn.apache.org/viewvc/cordova/site/public/2020/11/30/cve-2020-11990.html?rev=1883957&view=auto ============================================================================== --- cordova/site/public/2020/11/30/cve-2020-11990.html (added) +++ cordova/site/public/2020/11/30/cve-2020-11990.html Mon Nov 30 18:07:13 2020 @@ -0,0 +1,54 @@ +<hr> + +<p>layout: post +author: + name: Jesse MacFadyen +title: "Security Advisory CVE-2020-11990" +categories: news</p> + +<h2>tags: security advisory</h2> + +<p>We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications.</p> + +<p><strong>CVE-2020-11990:</strong> Apache Cordova Plugin camera vulnerable to information disclosure</p> + +<p><strong>Type of Vulnerability:</strong></p> + +<p>CWE-200: Exposure of Sensitive Information to an Unauthorized Actor</p> + +<p><strong>Severity:</strong> Low</p> + +<p><strong>Vendor:</strong> The Apache Software Foundation</p> + +<p><strong>Possible attackers condition:</strong></p> + +<p>An attacker who can install (or lead the victim to install) the specially crafted (or malicious) Android application. Android documentation describes the external cache location as application specific, however, +<em>"There is no security enforced with these files. For example, any application holding Manifest.permission.WRITE</em>EXTERNAL<em>STORAGE can write to these files."</em> +( and thereby read )</p> + +<p><strong>Possible victims:</strong></p> + +<p>Android users that take pictures with an Apache Cordova based application and attached removable storage.</p> + +<p><strong>Possible Impacts:</strong></p> + +<ul> +<li>Confidentiality is breached.</li> +<li>The image file (photo) taken by the Android apps that was developed using the Apache Cordova camera plugin will be disclosed.</li> +</ul> + +<p><strong>Versions Affected:</strong></p> + +<p>Cordova Android applications using the Camera plugin</p> + +<p>( cordova-plugin-camera version 4.1.0 and below )</p> + +<p><strong>Upgrade path:</strong></p> + +<p>Developers who are concerned about this issue should install version 5.0.0 or higher of cordova-plugin-camera</p> + +<p><strong>Mitigation Steps:</strong></p> + +<p>Upgrade plugin and rebuild application, update deployments.</p> + +<p><strong>Credit:</strong> JPCERT/CC Vulnerability Coordination Group. (JVN#59779918)</p> Modified: cordova/site/public/announcements/2020/10/02/cordova-electron-release-2.0.0.html URL: http://svn.apache.org/viewvc/cordova/site/public/announcements/2020/10/02/cordova-electron-release-2.0.0.html?rev=1883957&r1=1883956&r2=1883957&view=diff ============================================================================== --- cordova/site/public/announcements/2020/10/02/cordova-electron-release-2.0.0.html (original) +++ cordova/site/public/announcements/2020/10/02/cordova-electron-release-2.0.0.html Mon Nov 30 18:07:13 2020 @@ -274,6 +274,26 @@ cordova platform add electron@2.0.0 </div> <div class="col-sm-6"> + <a href="/2020/11/30/cve-2020-11990.html">Next</a> + <br> + <br> + <a class="title" href="/2020/11/30/cve-2020-11990.html">Cve 2020 11990</a> + <div class="date"> 30 Nov 2020 - By </div> + <p class="content"> + <!-- + NOTE: + the markdownify filter is used here + because posts are rendered in sequence; + that is, the next post's content isn't + yet rendered at the time that this post + is being rendered, so page.next.excerpt + is still in Markdown and not HTML + + Reference: https://github.com/jekyll/jekyll/issues/2860 + --> + layout: post author: name: Jesse MacFadyen title: "Security Advisory CVE-2020-11990" categories: news... + </p> + </div> </div> </footer> Modified: cordova/site/public/blog/index.html URL: http://svn.apache.org/viewvc/cordova/site/public/blog/index.html?rev=1883957&r1=1883956&r2=1883957&view=diff ============================================================================== --- cordova/site/public/blog/index.html (original) +++ cordova/site/public/blog/index.html Mon Nov 30 18:07:13 2020 @@ -126,6 +126,83 @@ <li> <header> + <div class="adorner" blogTime="Mon, 30 Nov 2020 00:00:00 +0000"></div> + <h2 class="title"> + <a href="/2020/11/30/cve-2020-11990.html">Cve 2020 11990</a> + </h2> + <div class="details"> + <span class="date">30 Nov 2020</span> + - by + <span class="author"> + + + + </span> + <a class="comment" href="/2020/11/30/cve-2020-11990.html#disqus_thread"></a> + </div> + </header> + <section class="post-excerpt"> + <p><hr> + +<p>layout: post +author: + name: Jesse MacFadyen +title: "Security Advisory CVE-2020-11990" +categories: news</p> + +<h2>tags: security advisory</h2> + +<p>We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications.</p> + +<p><strong>CVE-2020-11990:</strong> Apache Cordova Plugin camera vulnerable to information disclosure</p> + +<p><strong>Type of Vulnerability:</strong></p> + +<p>CWE-200: Exposure of Sensitive Information to an Unauthorized Actor</p> + +<p><strong>Severity:</strong> Low</p> + +<p><strong>Vendor:</strong> The Apache Software Foundation</p> + +<p><strong>Possible attackers condition:</strong></p> + +<p>An attacker who can install (or lead the victim to install) the specially crafted (or malicious) Android application. Android documentation describes the external cache location as application specific, however, +<em>"There is no security enforced with these files. For example, any application holding Manifest.permission.WRITE</em>EXTERNAL<em>STORAGE can write to these files."</em> +( and thereby read )</p> + +<p><strong>Possible victims:</strong></p> + +<p>Android users that take pictures with an Apache Cordova based application and attached removable storage.</p> + +<p><strong>Possible Impacts:</strong></p> + +<ul> +<li>Confidentiality is breached.</li> +<li>The image file (photo) taken by the Android apps that was developed using the Apache Cordova camera plugin will be disclosed.</li> +</ul> + +<p><strong>Versions Affected:</strong></p> + +<p>Cordova Android applications using the Camera plugin</p> + +<p>( cordova-plugin-camera version 4.1.0 and below )</p> + +<p><strong>Upgrade path:</strong></p> + +<p>Developers who are concerned about this issue should install version 5.0.0 or higher of cordova-plugin-camera</p> + +<p><strong>Mitigation Steps:</strong></p> + +<p>Upgrade plugin and rebuild application, update deployments.</p> + +<p><strong>Credit:</strong> JPCERT/CC Vulnerability Coordination Group. (JVN#59779918)</p> +</p> + <div><a href="/2020/11/30/cve-2020-11990.html">More...</a></div> + </section> + </li> + + <li> + <header> <div class="adorner" blogTime="Fri, 02 Oct 2020 00:00:00 +0000"></div> <h2 class="title"> <a href="/announcements/2020/10/02/cordova-electron-release-2.0.0.html">Cordova Electron 2.0.0 Released!</a> @@ -10183,7 +10260,7 @@ window.twttr = (function(d, s, id) { <script> window.onload = function(){ setTimeout(function(){ - var lastPostTime = new Date("Fri, 02 Oct 2020 00:00:00 +0000").getTime(); + var lastPostTime = new Date("Mon, 30 Nov 2020 00:00:00 +0000").getTime(); setCookie("visitTime", lastPostTime, 365); }, 2000); }; Modified: cordova/site/public/feed.xml URL: http://svn.apache.org/viewvc/cordova/site/public/feed.xml?rev=1883957&r1=1883956&r2=1883957&view=diff ============================================================================== --- cordova/site/public/feed.xml (original) +++ cordova/site/public/feed.xml Mon Nov 30 18:07:13 2020 @@ -6,11 +6,75 @@ </description> <link>https://cordova.apache.org/</link> <atom:link href="https://cordova.apache.org/feed.xml" rel="self" type="application/rss+xml"/> - <pubDate>Sat, 28 Nov 2020 08:28:32 +0000</pubDate> - <lastBuildDate>Sat, 28 Nov 2020 08:28:32 +0000</lastBuildDate> + <pubDate>Mon, 30 Nov 2020 17:47:38 +0000</pubDate> + <lastBuildDate>Mon, 30 Nov 2020 17:47:38 +0000</lastBuildDate> <generator>Jekyll v2.5.3</generator> <item> + <title>Cve 2020 11990</title> + <description><hr> + +<p>layout: post +author: + name: Jesse MacFadyen +title: &quot;Security Advisory CVE-2020-11990&quot; +categories: news</p> + +<h2>tags: security advisory</h2> + +<p>We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications.</p> + +<p><strong>CVE-2020-11990:</strong> Apache Cordova Plugin camera vulnerable to information disclosure</p> + +<p><strong>Type of Vulnerability:</strong></p> + +<p>CWE-200: Exposure of Sensitive Information to an Unauthorized Actor</p> + +<p><strong>Severity:</strong> Low</p> + +<p><strong>Vendor:</strong> The Apache Software Foundation</p> + +<p><strong>Possible attackers condition:</strong></p> + +<p>An attacker who can install (or lead the victim to install) the specially crafted (or malicious) Android application. Android documentation describes the external cache location as application specific, however, +<em>&quot;There is no security enforced with these files. For example, any application holding Manifest.permission.WRITE</em>EXTERNAL<em>STORAGE can write to these files.&quot;</em> +( and thereby read )</p> + +<p><strong>Possible victims:</strong></p> + +<p>Android users that take pictures with an Apache Cordova based application and attached removable storage.</p> + +<p><strong>Possible Impacts:</strong></p> + +<ul> +<li>Confidentiality is breached.</li> +<li>The image file (photo) taken by the Android apps that was developed using the Apache Cordova camera plugin will be disclosed.</li> +</ul> + +<p><strong>Versions Affected:</strong></p> + +<p>Cordova Android applications using the Camera plugin</p> + +<p>( cordova-plugin-camera version 4.1.0 and below )</p> + +<p><strong>Upgrade path:</strong></p> + +<p>Developers who are concerned about this issue should install version 5.0.0 or higher of cordova-plugin-camera</p> + +<p><strong>Mitigation Steps:</strong></p> + +<p>Upgrade plugin and rebuild application, update deployments.</p> + +<p><strong>Credit:</strong> JPCERT/CC Vulnerability Coordination Group. (JVN#59779918)</p> +</description> + <pubDate>Mon, 30 Nov 2020 00:00:00 +0000</pubDate> + <link>https://cordova.apache.org/2020/11/30/cve-2020-11990.html</link> + <guid isPermaLink="true">https://cordova.apache.org/2020/11/30/cve-2020-11990.html</guid> + + + </item> + + <item> <title>Cordova Electron 2.0.0 Released!</title> <description><p>We are happy to announce that we have just released <code>Cordova Electron 2.0.0</code>! This is one of Cordova&#39;s supported platforms for building Electron applications.</p> @@ -745,39 +809,5 @@ npm install <span class="nt" </item> - <item> - <title>Cordova Common 4.0.2 Released!</title> - <description><p>We are happy to announce that <code>cordova-common@4.0.2</code> was released in July 2020. This is one of the libraries used behind-the-scenes by nearly all of the Cordova tooling and provides utilities for dealing with things like <code>config.xml</code> parsing.</p> - -<h2>Release Highlights</h2> - -<p>The most notable fix in this patch release is the ability to update the correct app&#39;s <code>plist</code> file when multiple <code>plist</code> files are present within the project. More details can be found in the <a href="https://github.com/apache/cordova-common/pull/148">pull request</a> and <a href="https://github.com/apache/cordova-common/issues/144">original bug ticket</a>.</p> - -<p>Please report any issues you find at <a href="http://issues.cordova.io/">issues.cordova.io</a>!</p> - -<!--more--> - -<h1>Changes include:</h1> - -<ul> -<li><a href="https://github.com/apache/cordova-common/pull/148">GH-148</a> fix(ios): resolve correct path to app info <code>plist</code> when multiple <code>plist</code> files are present</li> -<li><a href="https://github.com/apache/cordova-common/pull/147">GH-147</a> chore: remove trailing whitespace</li> -<li><a href="https://github.com/apache/cordova-common/pull/146">GH-146</a> chore: bump <code>devDependencies</code> <code>nyc</code> -&gt; <code>^15.1.0</code></li> -<li><a href="https://github.com/apache/cordova-common/pull/145">GH-145</a> test: remove unused test fixtures</li> -</ul> -</description> - <pubDate>Sat, 04 Jul 2020 00:00:00 +0000</pubDate> - <link>https://cordova.apache.org/announcements/2020/07/04/cordova-common-release-4.0.2.html</link> - <guid isPermaLink="true">https://cordova.apache.org/announcements/2020/07/04/cordova-common-release-4.0.2.html</guid> - - <category>news</category> - - <category>releases</category> - - - <category>announcements</category> - - </item> - </channel> </rss> Modified: cordova/site/public/sitemap.xml URL: http://svn.apache.org/viewvc/cordova/site/public/sitemap.xml?rev=1883957&r1=1883956&r2=1883957&view=diff ============================================================================== --- cordova/site/public/sitemap.xml (original) +++ cordova/site/public/sitemap.xml Mon Nov 30 18:07:13 2020 @@ -4,6 +4,11 @@ <!-- posts --> <url> + <loc>https://cordova.apache.org/2020/11/30/cve-2020-11990.html</loc> +</url> + + +<url> <loc>https://cordova.apache.org/announcements/2020/10/02/cordova-electron-release-2.0.0.html</loc> </url> Modified: cordova/site/public/static/js/index.js URL: http://svn.apache.org/viewvc/cordova/site/public/static/js/index.js?rev=1883957&r1=1883956&r2=1883957&view=diff ============================================================================== --- cordova/site/public/static/js/index.js (original) +++ cordova/site/public/static/js/index.js Mon Nov 30 18:07:13 2020 @@ -77,6 +77,7 @@ function checkNotification() { var dates = []; if (lastVisit != "") { + dates.push('Mon, 30 Nov 2020 00:00:00 +0000'); dates.push('Fri, 02 Oct 2020 00:00:00 +0000'); dates.push('Tue, 29 Sep 2020 00:00:00 +0000'); dates.push('Fri, 18 Sep 2020 00:00:00 +0000'); --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cordova.apache.org For additional commands, e-mail: commits-h...@cordova.apache.org