Bug 1203848 - (CVE-2022-39236) VUL-0: matrix: security release
(CVE-2022-39236)
VUL-0: matrix: security release
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Dominik Heidler
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-09-28 13:40 UTC by Marcus Meissner
Modified: 2022-09-28 16:15 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2022-09-28 13:40:59 UTC
https://matrix.org/blog/2022/09/23/pre-disclosure-upcoming-critical-security-release-of-matrix-sd-ks-and-clients

2022-09-23 — Security — Matrix Security

We will be releasing a security update to matrix-js-sdk, matrix-ios-sdk and matrix-android-sdk2 and clients which implement end-to-end encryption with these libraries, to patch critical security issues, on Wed, Sept 28th. The releases will be published in the afternoon, followed by the disclosure blog post around 16:00 UTC. The affected clients include Element Web, Desktop, iOS and Android. We will also be working with downstream packagers and forks over the coming days to ensure a synchronised release to address affected clients.

Clients using matrix-rust-sdk, hydrogen-sdk and matrix-nio are not affected by these critical issues. We are also auditing third-party client SDKs and clients in advance of the release, and will work with the projects if action is needed. So far we've confirmed that other popular SDK/clients including mtxclient (nheko), Matrix Dart SDK (FluffyChat), Trixnity (Timmy), Syphon, mautrix-go (Gomuks) and mautrix-python are not affected by the issues in question.

If you maintain or package a (potentially) affected E2EE-capable Matrix client and need to coordinate on the release, please contact [email protected].

We advise to upgrade as soon as possible after the patched versions are released.

Thank you for your patience while we work to resolve this issue.
Comment 1 Dominik Heidler 2022-09-28 13:42:48 UTC
* CVE-2022-39249
* CVE-2022-39250
* CVE-2022-39251
* CVE-2022-39236