Your message dated Mon, 04 Nov 2024 18:21:25 +0000
with message-id <e1t81hd-0031he...@fasolo.debian.org>
and subject line Bug#1080047: Removed package(s) from unstable
has caused the Debian Bug report #1021136,
regarding node-matrix-js-sdk: CVE-2022-39236 CVE-2022-39249 CVE-2022-39251
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1021136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: sox
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for sox.
CVE-2022-39236[0]:
| Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript.
| Starting with version 17.1.0-rc.1, improperly formed beacon events can
| disrupt or impede the matrix-js-sdk from functioning properly,
| potentially impacting the consumer's ability to process data safely.
| Note that the matrix-js-sdk can appear to be operating normally but be
| excluding or corrupting runtime data presented to the consumer. This
| is patched in matrix-js-sdk v19.7.0. Redacting applicable events,
| waiting for the sync processor to store data, and restarting the
| client are possible workarounds. Alternatively, redacting the
| applicable events and clearing all storage will fix the further
| perceived issues. Downgrading to an unaffected version, noting that
| such a version may be subject to other vulnerabilities, will
| additionally resolve the issue.
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x
https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
https://github.com/matrix-org/matrix-spec-proposals/pull/3488
CVE-2022-39249[1]:
| Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript.
| Prior to version 19.7.0, an attacker cooperating with a malicious
| homeserver can construct messages appearing to have come from another
| person. Such messages will be marked with a grey shield on some
| platforms, but this may be missing in others. This attack is possible
| due to the matrix-js-sdk implementing a too permissive key forwarding
| strategy on the receiving end. Starting with version 19.7.0, the
| default policy for accepting key forwards has been made more strict in
| the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys
| in response to previously issued requests and only from own, verified
| devices. The SDK now sets a `trusted` flag on the decrypted message
| upon decryption, based on whether the key used to decrypt the message
| was received from a trusted source. Clients need to ensure that
| messages decrypted with a key with `trusted = false` are decorated
| appropriately, for example, by showing a warning for such messages.
| This attack requires coordination between a malicious homeserver and
| an attacker, and those who trust your homeservers do not need a
| workaround.
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg
https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
https://github.com/matrix-org/matrix-spec-proposals/pull/3061
https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
CVE-2022-39251[2]:
| Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript.
| Prior to version 19.7.0, an attacker cooperating with a malicious
| homeserver can construct messages that legitimately appear to have
| come from another person, without any indication such as a grey
| shield. Additionally, a sophisticated attacker cooperating with a
| malicious homeserver could employ this vulnerability to perform a
| targeted attack in order to send fake to-device messages appearing to
| originate from another user. This can allow, for example, to inject
| the key backup secret during a self-verification, to make a targeted
| device start using a malicious key backup spoofed by the homeserver.
| These attacks are possible due to a protocol confusion vulnerability
| that accepts to-device messages encrypted with Megolm instead of Olm.
| Starting with version 19.7.0, matrix-js-sdk has been modified to only
| accept Olm-encrypted to-device messages. Out of caution, several other
| checks have been audited or added. This attack requires coordination
| between a malicious home server and an attacker, so those who trust
| their home servers do not need a workaround.
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c
https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-39236
https://www.cve.org/CVERecord?id=CVE-2022-39236
[1] https://security-tracker.debian.org/tracker/CVE-2022-39249
https://www.cve.org/CVERecord?id=CVE-2022-39249
[2] https://security-tracker.debian.org/tracker/CVE-2022-39251
https://www.cve.org/CVERecord?id=CVE-2022-39251
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Version: 9.11.0+~cs9.9.16-2+rm
Dear submitter,
as the package node-matrix-js-sdk has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/1080047
The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)
--- End Message ---
