CVE-2024-51749 (https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2): Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. CVE-2024-51750 (https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc): A malicious homeserver can send invalid messages over federation which can prevent Element Web and Desktop from rendering single messages or the entire room containing them. The above is fixed in 1.11.85.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9a5b19588777fe7e1cf63b42e9a5c4ef7ddff9af commit 9a5b19588777fe7e1cf63b42e9a5c4ef7ddff9af Author: Joe Kappus <joe@wt.gd> AuthorDate: 2024-11-15 04:13:56 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-11-21 06:12:07 +0000 net-im/element-desktop-bin: add 1.11.86 Bug: https://bugs.gentoo.org/943876 Signed-off-by: Joe Kappus <joe@wt.gd> Closes: https://github.com/gentoo/gentoo/pull/39327 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-im/element-desktop-bin/Manifest | 1 + .../element-desktop-bin-1.11.86.ebuild | 83 ++++++++++++++++++++++ 2 files changed, 84 insertions(+)