CVE-2022-28764: The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.12.6 is susceptible to a local information exposure vulnerability. A failure to clear data from a local SQL database after a meeting ends and the usage of an insufficiently secure per-device key encrypting that database results in a local malicious user being able to obtain meeting information such as in-meeting chat for the previous meeting attended from that local user account. Please cleanup.
Target delay is 40 days, right?
Are you asking to keep around old Zoom for 40 days? The "vulnerability treatment policy" document is sorely out of date, and very little of it reflects the reality of how we treat vulnerabilities. And as far as I can tell, this has been the case for at least several years before I became a developer.
No, but the last bump was on 2022-11-12, and normally I keep the previous version around for at least two weeks for the convenience of users. It wouldn't be the first time that there's a regression. Dropping the old version early for a ~4 bug just seems a little out of balance.
Yes, we can proceed at maintainer's discretion here
All done