-
emus
Hi Ge0rG, what was the last status of this security/cve extraction?
-
Ge0rG
emus: it was considered a bad marketing idea to have a central list of the xmpp shortcomings
-
emus
Ah I remember. Well is it that much or is it that in general? I mean, each software has that problems I believe?
-
emus
lets look at the others https://www.opencve.io/cve?vendor=matrix
-
moparisthebest
There matrix is a vendor though, XMPP isn't and neither is the XSF
-
moparisthebest
ie https://www.opencve.io/cve?vendor=gajim
-
emus
https://www.opencve.io/cve?cvss=&search=xmpp well yes, but you get an answer
-
emus
> Ge0rG: > 2022-09-28 05:46 (GMT+02:00) > emus: it was considered a bad marketing idea to have a central list of the xmpp shortcomings is that the general opinion around here?
-
emus
btw
-
MSavoritias (fae,ve)
I could see it in only the context of maybe server operators. But then i think there are better sources for that.
-
moparisthebest
emus: does IETF have a list of CVEs related to RFCs ?
-
moparisthebest
I think if they don't then we shouldn't
-
emus
Maybe they should if they don't have
-
moparisthebest
Good then we should wait for them to do it then just filter the ones from the XMPP RFC :)
-
moparisthebest
> "Malicious key backup" – the above 'trusted impersonation' bug in matrix-js-sdk (and derived SDKs) could be used by a malicious homeserver admin to add a malicious key backup to the user's account under certain unusual conditions in order to exfiltrate message keys.
-
MattJ
I don't think the IETF is a fair analogy. The XSF has always been more about the ecosystem and implementations than the IETF (I mean, it used to be called the Jabber *Software* Foundation). It is also much narrower in scope.
-
moparisthebest
Wow @ matrix, it's not a protocol bug, it's just e2e that allows your server admin to request a copy of your keys
-
moparisthebest
This is an argument against OX style key sharing by the way