XMPP Service Operators - 2022-09-28

  1. Licaon_Kter

    PSA: https://nvd.nist.gov/vuln/detail/CVE-2022-40674

  2. MattJ

    For a moment I thought this would be the WhatsApp CVE 🙂

  3. mjk

    whats the whatsapp cve?

  4. Menel

    Security-Alert Meldungen: *WhatsApp: Kritische Sicherheitslücke erlaubt Codeschmuggel bei Videoanrufen* Zwei Sicherheitslücken in WhatsApp ermöglichen Angreifern, Opfern Schadcode unterzujubeln. Aktualisierte App-Versionen dichten die Lecks ab. https://www.heise.de/news/WhatsApp-Kritische-Sicherheitsluecke-erlaubt-Codeschmuggel-bei-Videoanrufen-7274930.html

  5. Martin

    Menel: wrong language. 😉

  6. MattJ

    mjk: https://nvd.nist.gov/vuln/detail/CVE-2022-36934

  7. moparisthebest

    MattJ: eek is that a vuln in the same webrtc lib that all the XMPP clients use too? :/ https://matrix.org/blog/2022/09/23/pre-disclosure-upcoming-critical-security-release-of-matrix-sd-ks-and-clients has me suspicious

  8. moparisthebest

    Luckily I don't make calls with malicious actors personally :|

  9. MattJ

    moparisthebest, that sounds like something related to E2EE, rather than WebRTC, but yeah... I share the suspicion that ultimately this might be a vulnerability in WebRTC or specific usage of it.

  10. moparisthebest

    Nothing says security or overflow here https://webrtc.googlesource.com/src/+log but there are some "fix math" commits 🤔

  11. moparisthebest

    Ok the matrix security problems weren't webrtc related at least, but wow https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients

  12. Licaon_Kter

    moparisthebest: did you rebuild all your libexpat dependent binaries yet? :)