Chromium WebAudio 漏洞修复 (CVE-2019-13720)
Chrome 中发现了一个高危漏洞,该漏洞会影响所有基于 Chromium 的软件,包括 Electron。
¥A High severity vulnerability has been discovered in Chrome which affects all software based on Chromium, including Electron.
此漏洞已被分配 CVE-2019-13720。你可以在 Chrome 博客帖子 中了解更多信息。
¥This vulnerability has been assigned CVE-2019-13720. You can read more about it in the Chrome Blog Post.
请注意,Chrome 已报告此漏洞正在被广泛利用,因此强烈建议你尽快升级 Electron。
¥Please note that Chrome has reports of this vulnerability being used in the wild so it is strongly recommended you upgrade Electron as soon as possible.
范围
¥Scope
这会影响任何可能运行第三方或不受信任的 JavaScript 的 Electron 应用。
¥This affects any Electron application that may run third-party or untrusted JavaScript.
缓解措施
¥Mitigation
受影响的应用应升级到 Electron 的修补版本。
¥Affected apps should upgrade to a patched version of Electron.
我们已发布 Electron 的新版本,其中包含针对此漏洞的修复:
¥We've published new versions of Electron which include fixes for this vulnerability:
在公告发布之前,Electron 7.0.1 已自动从上游包含修复程序。Electron 8 同样不受影响。该漏洞在 Electron 5 中不存在,因此该版本也不受影响。
¥Electron 7.0.1 automatically included the fix from upstream, before the announcement was made. Electron 8 is similarly unaffected. The vulnerability did not exist in Electron 5, so that version is also unaffected.
更多信息
¥Further Information
此漏洞由卡巴斯基实验室的 Anton Ivanov 和 Alexey Kulaev 发现,并报告给 Chrome 团队。Chrome 博客文章可在 此处 中找到。
¥This vulnerability was discovered by Anton Ivanov and Alexey Kulaev at Kaspersky Labs and reported to the Chrome team. The Chrome blog post can be found here.
要了解有关保护 Electron 应用安全的最佳实践的更多信息,请参阅我们的 安全教程。
¥To learn more about best practices for keeping your Electron apps secure, see our security tutorial.
如果你想报告 Electron 中的漏洞,请发送电子邮件至 security@electronjs.org。
¥If you wish to report a vulnerability in Electron, email security@electronjs.org.