Chromium WebAudio 漏洞修复 (CVE-2019-13720)
Chrome 中发现了一个高危漏洞,该漏洞会影响所有基于 Chromium 的软件,包括 Electron。
🌐 A High severity vulnerability has been discovered in Chrome which affects all software based on Chromium, including Electron.
此漏洞已被分配编号 CVE-2019-13720。你可以在 Chrome 博客文章 中了解更多相关信息。
🌐 This vulnerability has been assigned CVE-2019-13720. You can read more about it in the Chrome Blog Post.
请注意,Chrome 已报告此漏洞正在被广泛利用,因此强烈建议你尽快升级 Electron。
🌐 Please note that Chrome has reports of this vulnerability being used in the wild so it is strongly recommended you upgrade Electron as soon as possible.
范围
🌐 Scope
这会影响任何可能运行第三方或不受信任的 JavaScript 的 Electron 应用。
🌐 This affects any Electron application that may run third-party or untrusted JavaScript.
缓解措施
🌐 Mitigation
受影响的应用应升级到 Electron 的修补版本。
🌐 Affected apps should upgrade to a patched version of Electron.
我们已发布 Electron 的新版本,其中包含针对此漏洞的修复:
🌐 We've published new versions of Electron which include fixes for this vulnerability:
Electron 7.0.1 在公告发布之前就自动包含了上游的修复。Electron 8 同样不受影响。Electron 5 中不存在该漏洞,因此该版本也不受影响。
🌐 Electron 7.0.1 automatically included the fix from upstream, before the announcement was made. Electron 8 is similarly unaffected. The vulnerability did not exist in Electron 5, so that version is also unaffected.
更多信息
🌐 Further Information
此漏洞由卡巴斯基实验室的安东·伊万诺夫和阿列克谢·库拉耶夫发现,并已向 Chrome 团队报告。Chrome 博客文章可以在 这里 找到。
🌐 This vulnerability was discovered by Anton Ivanov and Alexey Kulaev at Kaspersky Labs and reported to the Chrome team. The Chrome blog post can be found here.
要了解有关保持你的 Electron 应用安全的最佳做法的更多信息,请参阅我们的[安全教程]。
🌐 To learn more about best practices for keeping your Electron apps secure, see our security tutorial.
如果你希望报告 Electron 中的漏洞,请提交 [GitHub 安全咨询]。
🌐 Please file a GitHub Security Advisory if you wish to report a vulnerability in Electron.