There's no detailed info on this vuln yet, but it seems a remote code execution bug was found in signal: https://twitter.com/ortegaalfredo/status/995017143002509313 As electron allows running javascript code with user privileges this means a javascript injection / XSS can directly lead to RCE. There's no official advisory or writeup yet, but the changelog for 1.10.1 says: "Fixes a bug recently published by Alfredo Ortega" I.e. that release fixes the bug. Please bump.
Version 1.10.1 is in tree now, see also #655560
Details: https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/advisory/
Only version in tree is 1.13.0 now which does not seem vulnerable. Can you confirm? Thanks
Tree is clean, thanks Amy!