Two critical severity vulnerabilities in end-to-end encryption and three lower priority issues were found in the SDK which powers Element. 1.11.7[1] seems to be the release that fixes them. It references 4 CVEs that are not published yet: - CVE-2022-39249 - CVE-2022-39250 - CVE-2022-39251 - CVE-2022-39236 CVE-2022-39250 and CVE-2022-39251 are the critical severity vulnerabilities, CVE-2022-39249 is a lower severity vulnerability, i don't know what CVE-2022-39236 is. [1] <https://github.com/vector-im/element-web/releases/tag/v1.11.7>
There is even 1.11.8 now already with "Bump IDB crypto store version", looks good to bump to that one (and clean older, this is ~arch only)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dcba64768d637f229c9f3287473d8e50337ae612 commit dcba64768d637f229c9f3287473d8e50337ae612 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2022-09-28 16:46:06 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2022-09-28 16:47:09 +0000 www-apps/element: 1.11.8 bump, remove security vulnerable versions Bug: https://bugs.gentoo.org/873331 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/element/Manifest | 3 +- www-apps/element/element-1.11.5.ebuild | 35 ---------------------- ...element-1.11.2.ebuild => element-1.11.8.ebuild} | 0 3 files changed, 1 insertion(+), 37 deletions(-)
Thanks, all done already!