-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
54 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| # 0.12.2 Changelog | ||
|
|
||
| ## Vulnerability disclosure | ||
|
|
||
| This release contains a fix for a security vulnerability. We recommend updating as soon as possible. | ||
|
|
||
| A security researcher discovered that the application used an insecure random number generator. This could allow an attacker to predict the random numbers generated by the application, which could lead to a variety of security issues. | ||
|
|
||
| While we believe the risk of exploitation is low, we recommend that you update the token on your original device: | ||
|
|
||
| 1. Update the app to the latest version. | ||
| 2. Go to the Devices screen at the "More" section. | ||
| 3. Make sure that your device is named "Initial device". If it's not, do the steps on that initial device instead. If you don't have access to that device anymore, revoke the access for that device by tapping it in the list below. | ||
| 4. Tap on the "Initial device". The app will ask you if you want to refresh the token. Tap "Confirm". | ||
|
|
||
| Only the token of the initial device might be vulnerable. Tokens of other devices and backups encryption key are generated by your server with a secure random number generator. | ||
|
|
||
| Servers created with this version and newer will not be vulnerable to this. | ||
|
|
||
| We haven't received information from the security researcher on how to credit them, and will update this changelog on our website and git forge when we do. | ||
|
|
||
| ## Changes | ||
|
|
||
| ### Features | ||
|
|
||
| - Allow refreshing device token for Server API ([#565](https://git.selfprivacy.org/SelfPrivacy/selfprivacy.org.app/issues/565)) | ||
| - Upgrade Flutter to 3.24.0 ([#562](https://git.selfprivacy.org/SelfPrivacy/selfprivacy.org.app/issues/562)) | ||
|
|
||
| ### Bug fixes | ||
|
|
||
| - **i18l**: Resolve word puzzles ([#566](https://git.selfprivacy.org/SelfPrivacy/selfprivacy.org.app/issues/566)) | ||
| - Use the cryptographically secure random number generator ([#565](https://git.selfprivacy.org/SelfPrivacy/selfprivacy.org.app/issues/565)) | ||
| - Remove hardcode for recovery support articles ([#563](https://git.selfprivacy.org/SelfPrivacy/selfprivacy.org.app/issues/563), resolves [#251](https://git.selfprivacy.org/SelfPrivacy/selfprivacy.org.app/issues/251)) | ||
| - Volume resize function didn't work due to logical error | ||
|
|
||
|
|
||
| ### Translation contributions | ||
|
|
||
|
|
||
| * Estonian | ||
|
|
||
| * Dmitri B. (9) | ||
|
|
||
|
|
||
| * German | ||
|
|
||
| * Philipp Weiermann (23) | ||
|
|
||
|
|
||
| * Russian | ||
|
|
||
| * Inex Code (24) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters