[Pkg-matrix-maintainers] Bug#1022925: nheko: Version in bullseye(-backports) is vulnerable to DoS and secret poisoning
Val Lorentz
progval at progval.net
Thu Oct 27 18:52:30 BST 2022
Package: nheko
Version: 0.9.3-2~bpo11+1
Severity: important
Dear maintainers,
Since version 0.9.3 (currently in bullseye-backports), Nheko fix at
least two major issues:
1. Crash on events with oversized state key, when used with Synapse
https://github.com/Nheko-Reborn/nheko/issues/1172
In particular, because such an event was sent to Nheko's official
support room (#nheko:nheko.im), it means Nheko is unusable with any
account joined to that room, showing an endless spinner on startup.
This was fixed in v0.10.1:
*
https://github.com/Nheko-Reborn/nheko/commit/47189240a219cfe0260463c82cc68aeaaae2f823
*
https://github.com/Nheko-Reborn/mtxclient/commit/ce47f0b280c7e5241a556d63c518267d5e6b9c1c
2. Secret poisoning (CVE-2022-39264)
https://github.com/Nheko-Reborn/nheko/security/advisories/GHSA-8jcp-8jq4-5mm7
This was fixed in v0.10.2:
*
https://github.com/Nheko-Reborn/nheko/commit/67bee15a389f9b8a9f6c3a340558d1e2319e7199
Thanks in advance,
Val Lorentz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-matrix-maintainers/attachments/20221027/fcccc62a/attachment.sig>
More information about the Pkg-matrix-maintainers
mailing list