[aerogear-dev] [Cordova] Important security fixes for Cordova-Android just released

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[aerogear-dev] [Cordova] Important security fixes for Cordova-Android just released

Matthias Wessendorf

_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] [Cordova] Important security fixes for Cordova-Android just released

Karel Piwko
+1 for updating.

On Tue, Aug 5, 2014 at 8:45 AM, Matthias Wessendorf <[hidden email]>
wrote:

> FYI
>
> https://twitter.com/apachecordova/status/496418463666028545
>
> Wondering, should we update the plugin ?
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf

_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] [Cordova] Important security fixes for Cordova-Android just released

Erik Jan de Wit
We had this discussion before and I still feel that this course of action is wrong. It’s like let’s update the java library that we created when there is a security error in java.

All people have to do is to use the newer version of the android platform (if they are currently using 3.5.0)

cordova platform add android@3.5.1


On 5 Aug,2014, at 10:04 , Karel Piwko <[hidden email]> wrote:

+1 for updating.

On Tue, Aug 5, 2014 at 8:45 AM, Matthias Wessendorf <[hidden email]>
wrote:
FYI

https://twitter.com/apachecordova/status/496418463666028545

Wondering, should we update the plugin ?

--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf

_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev


_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] [Cordova] Important security fixes for Cordova-Android just released

Matthias Wessendorf
how about adding some notes on the README ?


On Tue, Aug 5, 2014 at 10:26 AM, Erik Jan de Wit <[hidden email]> wrote:
We had this discussion before and I still feel that this course of action is wrong. It’s like let’s update the java library that we created when there is a security error in java.

All people have to do is to use the newer version of the android platform (if they are currently using 3.5.0)

cordova platform add android@3.5.1


On 5 Aug,2014, at 10:04 , Karel Piwko <[hidden email]> wrote:

+1 for updating.

On Tue, Aug 5, 2014 at 8:45 AM, Matthias Wessendorf <[hidden email]>
wrote:
FYI

https://twitter.com/apachecordova/status/496418463666028545

Wondering, should we update the plugin ?

--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf

_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev


_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev



--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf

_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] [Cordova] Important security fixes for Cordova-Android just released

Karel Piwko
In reply to this post by Erik Jan de Wit
In such case, would it make sense to lock Cordova related versions in
our tutorials/quickstarts/documentation and update versions there after
security bug instead?

On Tue, Aug 5, 2014 at 10:26 AM, Erik Jan de Wit <[hidden email]>
wrote:

> We had this discussion before and I still feel that this course of
> action is wrong. It’s like let’s update the java library that we
> created when there is a security error in java.
>
> All people have to do is to use the newer version of the android
> platform (if they are currently using 3.5.0)
>
> cordova platform add android@3.5.1
>
>
> On 5 Aug,2014, at 10:04 , Karel Piwko <[hidden email]> wrote:
>
>> +1 for updating.
>>
>> On Tue, Aug 5, 2014 at 8:45 AM, Matthias Wessendorf
>> <[hidden email]>
>> wrote:
>>> FYI
>>>
>>> https://twitter.com/apachecordova/status/496418463666028545
>>>
>>> Wondering, should we update the plugin ?
>>>
>>> --
>>> Matthias Wessendorf
>>>
>>> blog: http://matthiaswessendorf.wordpress.com/
>>> sessions: http://www.slideshare.net/mwessendorf
>>> twitter: http://twitter.com/mwessendorf
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>


_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] [Cordova] Important security fixes for Cordova-Android just released

Erik Jan de Wit

On 5 Aug,2014, at 10:42 , Karel Piwko <[hidden email]> wrote:

> In such case, would it make sense to lock Cordova related versions in
> our tutorials/quickstarts/documentation and update versions there after
> security bug instead?
>

When you tryout / install our demo now you’ll get the latest version of the android platform (3.5.1) this security update is ‘only’ important if you have a project currently on your drive then you’ll have to update the android platform


_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] [Cordova] Important security fixes for Cordova-Android just released

Bruno Oliveira
In reply to this post by Matthias Wessendorf
Please!

On 2014-08-05, Matthias Wessendorf wrote:

> FYI
>
> https://twitter.com/apachecordova/status/496418463666028545
>
> Wondering, should we update the plugin ?
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf

> _______________________________________________
> aerogear-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/aerogear-dev


--

abstractj
PGP: 0x84DC9914
_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] [Cordova] Important security fixes for Cordova-Android just released

Bruno Oliveira
In reply to this post by Erik Jan de Wit
On 2014-08-05, Erik Jan de Wit wrote:
> We had this discussion before and I still feel that this course of action is wrong. It’s like let’s update the java library that we created when there is a security error in java.

That **must** be the correct approach, most part of the time the cause
of people exploiting security vulnerabilities is because the software is
outdated. Do you want to engage our developers to ignore it?

>
> All people have to do is to use the newer version of the android platform (if they are currently using 3.5.0)
>
> cordova platform add android@3.5.1

I still disagree on that, we must lead by example and encourage them to
update their versions.

>
>
> On 5 Aug,2014, at 10:04 , Karel Piwko <[hidden email]> wrote:
>
> > +1 for updating.
> >
> > On Tue, Aug 5, 2014 at 8:45 AM, Matthias Wessendorf <[hidden email]>
> > wrote:
> >> FYI
> >>
> >> https://twitter.com/apachecordova/status/496418463666028545
> >>
> >> Wondering, should we update the plugin ?
> >>
> >> --
> >> Matthias Wessendorf
> >>
> >> blog: http://matthiaswessendorf.wordpress.com/
> >> sessions: http://www.slideshare.net/mwessendorf
> >> twitter: http://twitter.com/mwessendorf
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > [hidden email]
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>

> _______________________________________________
> aerogear-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/aerogear-dev


--

abstractj
PGP: 0x84DC9914
_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] [Cordova] Important security fixes for Cordova-Android just released

Erik Jan de Wit

On 5 Aug,2014, at 13:25 , Bruno Oliveira <[hidden email]> wrote:

On 2014-08-05, Erik Jan de Wit wrote:
We had this discussion before and I still feel that this course of action is wrong. It’s like let’s update the java library that we created when there is a security error in java.

That **must** be the correct approach, most part of the time the cause
of people exploiting security vulnerabilities is because the software is
outdated. Do you want to engage our developers to ignore it?

It’s not cordova itself that is vulnerable it’s one particular version of a platform ( 3.5.0 android ). I’m not saying that people should ignore security, just that we use a runtime and we cannot be held responsible or control what version of that runtime people are using

_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] [Cordova] Important security fixes for Cordova-Android just released

tolis emmanouilidis
2014-08-05 14:34 GMT+03:00 Erik Jan de Wit <[hidden email]>:

It’s not cordova itself that is vulnerable it’s one particular version of a platform ( 3.5.0 android ). I’m not saying that people should ignore security, just that we use a runtime and we cannot be held responsible or control what version of that runtime people are using


+1 I think it's users responsiblity to upgrade or not. Also, it looks like Apache is not enforcing the latest cordova version in their plugins e.g https://github.com/apache/cordova-plugin-statusbar/blob/master/plugin.xml#L32


_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] [Cordova] Important security fixes for Cordova-Android just released

Matthias Wessendorf



On Tue, Aug 5, 2014 at 1:57 PM, tolis emmanouilidis <[hidden email]> wrote:
2014-08-05 14:34 GMT+03:00 Erik Jan de Wit <[hidden email]>:


It’s not cordova itself that is vulnerable it’s one particular version of a platform ( 3.5.0 android ). I’m not saying that people should ignore security, just that we use a runtime and we cannot be held responsible or control what version of that runtime people are using


+1 I think it's users responsiblity to upgrade or not. Also, it looks like Apache is not enforcing the latest cordova version in their plugins e.g https://github.com/apache/cordova-plugin-statusbar/blob/master/plugin.xml#L32

ha! That's good info!

-M
 


_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev



--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf

_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev