FS#78024 - [element-desktop/element-web] 1.11.20-1: CVE-2023-28427 and CVE-2023-28103 ("high" severity)
Attached to Project:
Community Packages
Opened by Pascal Ernster (hardfalcon) - Tuesday, 28 March 2023, 20:51 GMT
Last edited by Toolybird (Toolybird) - Wednesday, 29 March 2023, 05:08 GMT
Opened by Pascal Ernster (hardfalcon) - Tuesday, 28 March 2023, 20:51 GMT
Last edited by Toolybird (Toolybird) - Wednesday, 29 March 2023, 05:08 GMT
|
Details
element-desktop and element-web <= 1.11.26 ship
vulnerable versions of the Matrix JS SDK and the Matrix
React SDK, making them vulnerable to CVE-2023-28427 and
CVE-2023-28103. Upstream has classified both CVEs as "high"
severity because although they have only demonstrated DoS,
they can't rule out a more severe impact:
https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0 Since there seem to be 3 open bug reports about various crashes of element-desktop 1.11.20-1 open since January 2023: I've built my own package of element-desktop 1.11.26 in a clean chroot and I can confirm that it is working fine at least on my machines. |
This task depends upon
Closed by Toolybird (Toolybird)
Wednesday, 29 March 2023, 05:08 GMT
Reason for closing: Fixed
Additional comments about closing: element-{desktop,web} 1.11.26-1
Wednesday, 29 March 2023, 05:08 GMT
Reason for closing: Fixed
Additional comments about closing: element-{desktop,web} 1.11.26-1
Comment by
Pascal Ernster (hardfalcon) -
Tuesday, 28 March 2023, 20:52 GMT
Correction: "<= 1.11.26" should obviously have been "<
1.11.26".
Comment by
Bruno Pagani (ArchangeGabriel) -
Tuesday, 28 March 2023, 21:24 GMT
Thanks for notifying, as per my previous statement I’m still quite
busy with life, but I’ll try to get that one out this night.
Comment by
Pascal Ernster (hardfalcon) -
Wednesday, 29 March 2023, 04:58 GMT
Thanks a lot for the quick update, Bruno :)