Page MenuHomeSolus
Create Task
Maniphest T6411

signal-desktop code injection
Closed, ResolvedPublic
Actions

Description

I don't know if you are aware yet, but signal recently had two significant flaws, which are patched in 1.11.0

CVE-2018-10994
CVE-2018-11101

https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection-variant-2/

Revisions and Commits

R3823 signal-desktop
R3823:b978ab3dfdc8 Update to 1.11.0.

Event Timeline

GladOSkar created this task.May 18 2018, 6:21 AM
Herald removed ikey as the assignee of this task. · View Herald TranscriptMay 18 2018, 6:21 AM
Herald added a subscriber: ikey.
JoshStrobl claimed this task.May 18 2018, 8:33 AM
JoshStrobl triaged this task as High priority.
JoshStrobl added a subscriber: JoshStrobl.

Aware of the issue. I reached out to Signal Desktop regarding a removal of a large amount of their build system that broke our package build and haven't received a response. I'll be working on reverting their changes today so I can get this out to users.

JoshStrobl closed this task as Resolved by committing R3823:b978ab3dfdc8: Update to 1.11.0..May 18 2018, 3:29 PM
JoshStrobl added a commit: R3823:b978ab3dfdc8: Update to 1.11.0..
JoshStrobl added a comment.May 18 2018, 3:29 PM

@GladOSkar This will be in our upcoming sync to the stable repo.

JoshStrobl changed the visibility from "Custom Policy" to "Public (No Login Required)".May 18 2018, 3:30 PM
Copyright © 2015-2021 Solus Project. The Solus logo is Copyright © 2016-2021 Solus Project. All Rights Reserved.