|
| 1 | +--- |
| 2 | +date: '2022-08-31' |
| 3 | +title: 'Security releases: matrix-js-sdk 19.4.0 and matrix-react-sdk 3.53.0' |
| 4 | +categories: |
| 5 | + - Releases |
| 6 | + - Security |
| 7 | +author: Denis Kasak (dkasak) |
| 8 | +image: |
| 9 | +--- |
| 10 | + |
| 11 | +Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk to |
| 12 | +patch a couple of High severity vulnerabilities (reserved as |
| 13 | +[CVE-2022-36059](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE%2D2022%2D36059) |
| 14 | +for the matrix-js-sdk and |
| 15 | +[CVE-2022-36060](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE%2D2022%2D36060) |
| 16 | +for the matrix-react-sdk). |
| 17 | + |
| 18 | +Affected clients include those which depend on the affected libraries, such as |
| 19 | +Element Web/Desktop and Cinny. Releases of the affected clients will follow |
| 20 | +shortly. We advise users of those clients to upgrade at their earliest |
| 21 | +convenience. |
| 22 | + |
| 23 | +The vulnerabilities give an adversary who you share a room with the ability to |
| 24 | +carry out a denial-of-service attack against the affected clients, making it |
| 25 | +not show all of a user's rooms or spaces and/or causing minor temporary |
| 26 | +corruption. |
| 27 | + |
| 28 | +The full vulnerability details will be disclosed at a later date, to give |
| 29 | +people time to upgrade and us to perform a more thorough audit of the codebase. |
| 30 | + |
| 31 | +Note that while the vulnerability was to our knowledge never exploited |
| 32 | +maliciously, some unintentional public testing has left some people affected by |
| 33 | +the bug. We made a best effort to sanitize this to stop the breakage. If you |
| 34 | +are affected, you may still need to clear the cache and reload your Matrix |
| 35 | +client for it to take effect. |
| 36 | + |
| 37 | +We thank [Val Lorentz](https://valentin-lorentz.fr/) who discovered and |
| 38 | +reported the vulnerability over the weekend. |
0 commit comments