Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#78024 - [element-desktop/element-web] 1.11.20-1: CVE-2023-28427 and CVE-2023-28103 ("high" severity)
Attached to Project:
Community Packages
Opened by Pascal Ernster (hardfalcon) - Tuesday, 28 March 2023, 20:51 GMT
Last edited by Toolybird (Toolybird) - Wednesday, 29 March 2023, 05:08 GMT
Opened by Pascal Ernster (hardfalcon) - Tuesday, 28 March 2023, 20:51 GMT
Last edited by Toolybird (Toolybird) - Wednesday, 29 March 2023, 05:08 GMT
|
Detailselement-desktop and element-web <= 1.11.26 ship vulnerable versions of the Matrix JS SDK and the Matrix React SDK, making them vulnerable to CVE-2023-28427 and CVE-2023-28103. Upstream has classified both CVEs as "high" severity because although they have only demonstrated DoS, they can't rule out a more severe impact:
https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0 Since there seem to be 3 open bug reports about various crashes of element-desktop 1.11.20-1 open since January 2023: I've built my own package of element-desktop 1.11.26 in a clean chroot and I can confirm that it is working fine at least on my machines. |
This task depends upon
Closed by Toolybird (Toolybird)
Wednesday, 29 March 2023, 05:08 GMT
Reason for closing: Fixed
Additional comments about closing: element-{desktop,web} 1.11.26-1
Wednesday, 29 March 2023, 05:08 GMT
Reason for closing: Fixed
Additional comments about closing: element-{desktop,web} 1.11.26-1
Comment by Pascal Ernster (hardfalcon) -
Tuesday, 28 March 2023, 20:52 GMT
Correction: "<= 1.11.26" should obviously have been "< 1.11.26".
Comment by Bruno Pagani (ArchangeGabriel) -
Tuesday, 28 March 2023, 21:24 GMT
Thanks for notifying, as per my previous statement I’m still quite busy with life, but I’ll try to get that one out this night.
Comment by Pascal Ernster (hardfalcon) -
Wednesday, 29 March 2023, 04:58 GMT
Thanks a lot for the quick update, Bruno :)