873325 – <net-im/element-desktop-bin-1.11.8: Multiple vulnerabilities

Bug 873325 - <net-im/element-desktop-bin-1.11.8: Multiple vulnerabilities

Summary: <net-im/element-desktop-bin-1.11.8: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	https://matrix.org/blog/2022/09/28/up...
Whiteboard:	~? [noglsa]
Keywords:	PullRequest

Depends on:
Blocks:	873346
	Show dependency tree

Reported:	2022-09-28 16:03 UTC by tea
Modified:	2022-09-29 05:17 UTC (History)
CC List:	1 user (show)

See Also:	873331 https://github.com/gentoo/gentoo/pull/27513
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description tea 2022-09-28 16:03:30 UTC

Two critical severity vulnerabilities in end-to-end encryption and three lower priority issues were found in the SDK which powers Element.
1.11.7[1] seems to be the release that fixes them. It references 4 CVEs that are not published yet:
    - CVE-2022-39249
    - CVE-2022-39250
    - CVE-2022-39251
    - CVE-2022-39236

CVE-2022-39250 and CVE-2022-39251 are the critical severity vulnerabilities, CVE-2022-39249 is a lower severity vulnerability, i don't know what CVE-2022-39236 is.

[1] <https://github.com/vector-im/element-desktop/releases/tag/v1.11.7>

Comment 1 John Helmert III archtester

2022-09-29 05:17:21 UTC

commit a759a7f3bd6070f176e37bacf04f15871d2c5e93
Author: Stefan Strogin <steils@gentoo.org>
Date:   Thu Sep 29 03:25:47 2022 +0000

    net-im/element-desktop-bin: upgrade 1.11.1 -> 1.11.8

    Signed-off-by: Stefan Strogin <steils@gentoo.org>

Tree is clean, all done!