Bug#1022925: nheko: Version in bullseye(-backports) is vulnerable to DoS and secret poisoning

Val Lorentz Thu, 27 Oct 2022 12:15:16 -0700

Package: nheko
Version: 0.9.3-2~bpo11+1
Severity: important


Dear maintainers,

Since version 0.9.3 (currently in bullseye-backports), Nheko fix at least two major issues:


1. Crash on events with oversized state key, when used with Synapse

https://github.com/Nheko-Reborn/nheko/issues/1172

In particular, because such an event was sent to Nheko's official support room (#nheko:nheko.im), it means Nheko is unusable with any account joined to that room, showing an endless spinner on startup.


This was fixed in v0.10.1:

* https://github.com/Nheko-Reborn/nheko/commit/47189240a219cfe0260463c82cc68aeaaae2f823 * https://github.com/Nheko-Reborn/mtxclient/commit/ce47f0b280c7e5241a556d63c518267d5e6b9c1c



2. Secret poisoning (CVE-2022-39264)

https://github.com/Nheko-Reborn/nheko/security/advisories/GHSA-8jcp-8jq4-5mm7

This was fixed in v0.10.2:

* https://github.com/Nheko-Reborn/nheko/commit/67bee15a389f9b8a9f6c3a340558d1e2319e7199




Thanks in advance,
Val Lorentz

OpenPGP_signature
Description: OpenPGP digital signature

Bug#1022925: nheko: Version in bullseye(-backports) is vulnerable to DoS and secret poisoning

Reply via email to