| 9 Apr 2024 |
|  Leo joined the room. | 12:26:57 |
 aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) | * The security researchers at exploit.org claimed they've found an RCE in Telegram Desktop's latest version (seems 4.16.1 at least), and updated a demonstration video targeting Windows build. Someone in the comment claimed they could not trigger the PoC in 4.16.4. Currently 23.11 and unstable branch has 4.16.1, and master was updated to 4.16.4 yesterday. Original message: SECURITY ALERT ⚠️
Possible RCE was detected in Telegram's media processing in Telegram Desktop application.
This issue expose users to malicious attacks through specially crafted media files, such as images or videos.
For security reasons disable auto-download feature. Please follow these steps:
1. Go to Settings.
2. Tap on "Advanced".
3. Under the "Automatic Media Download" section, disable auto-download for "Photos", "Videos", and "Files" across all chat types (Private chats, groups, and channels).
We are currently investigating this vulnerability.
Link: https://t.me/exploitorg/30 Edit: telegram official said they could not find the vulnerability and the demonstration video is likely staged. https://twitter.com/telegram/status/1777677055837995151 | 12:50:10 |
|  SomeoneSerge (back on matrix) changed their display name from SomeoneSerge (migrating synapse) to SomeoneSerge (void). | 13:24:35 |
|  @5m5z3q888q5prxkg:chat.lightnovel-dungeon.de changed their profile picture. | 23:12:29 |
|  djacu changed their profile picture. | 23:22:53 |
 lukegb (he/him) | Alas, I am travelling and don't really have time rn | 23:49:14 |
| 10 Apr 2024 |
 Sashanoraa.gay (she/her, ze/zir) | Redacted or Malformed Event | 04:55:35 |
|  svl joined the room. | 05:15:59 |
|  Tristan Ross joined the room. | 20:29:23 |
| Tristan Ross | https://github.com/YuriiCrimson/ExploitGSM/ anyone aware of this security vulnerability? | 20:29:46 |
 magic_rb | That repo looks extremely sus and the behavior of the author is also very weird | 20:33:21 |
| magic_rb | * That repo looks extremely sus and the behavior of the author is also very weird, lets follow up in #security-discuss:nixos.org if need be | 20:33:52 |
| Tristan Ross | Alright | 20:34:11 |
| 11 Apr 2024 |
|  NixOS Moderation Bot banned  @falaichte:techsaviours.org (<no reason supplied>). | 20:44:07 |
| 12 Apr 2024 |
|  @yuka:yuka.dev changed their profile picture. | 08:07:21 |
| aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) | * The security researchers at exploit.org claimed they've found an RCE in Telegram Desktop's latest version (seems 4.16.1 at least), and updated a demonstration video targeting Windows build. Someone in the comment claimed they could not trigger the PoC in 4.16.4. Currently 23.11 and unstable branch has 4.16.1, and master was updated to 4.16.4 yesterday. Original message: SECURITY ALERT ⚠️
Possible RCE was detected in Telegram's media processing in Telegram Desktop application.
This issue expose users to malicious attacks through specially crafted media files, such as images or videos.
For security reasons disable auto-download feature. Please follow these steps:
1. Go to Settings.
2. Tap on "Advanced".
3. Under the "Automatic Media Download" section, disable auto-download for "Photos", "Videos", and "Files" across all chat types (Private chats, groups, and channels).
We are currently investigating this vulnerability.
Link: https://t.me/exploitorg/30 Edit: telegram official said they could not find the vulnerability and the demonstration video is likely staged. https://twitter.com/telegram/status/1777677055837995151 Edit again: RCE confirmed but not zero-click. The user have to click a file that appear to be video files. Affected versions are 4.16.0 to 4.16.6. | 11:24:06 |
 hexa | https://www.openwall.com/lists/oss-security/2024/04/12/11 | 20:46:12 |
| hexa | * https://www.openwall.com/lists/oss-security/2024/04/12/11 php | 20:46:32 |
| hexa | ma27 | 20:48:00 |
 ma27 | huh, nobody was faster?
fine, on it. | 20:48:50 |
| ma27 | https://github.com/NixOS/nixpkgs/pull/303711 | 21:05:00 |
| 13 Apr 2024 |
|  ⛧-440729 [sophie raven] (it/its) changed their display name from Sophie to sophie. | 08:27:37 |
 tgerbet | https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_10.html
cc emily
| 11:06:14 |
| tgerbet | Done in
https://github.com/NixOS/nixpkgs/pull/303377
https://github.com/NixOS/nixpkgs/pull/303471
Somehow missed it in GH search, sorry for the noise | 12:55:11 |
| 15 Apr 2024 |
 Markus Theil | Botan 3.4.0 was released: https://github.com/NixOS/nixpkgs/pull/304220 | 09:44:54 |
| djacu left the room. | 16:17:25 |
 samueldr | https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html | 19:22:28 |
| samueldr | * https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html ( https://hachyderm.io/@simontatham/112276855758487211 ) | 19:22:46 |
| hexa | https://github.com/NixOS/nixpkgs/pull/304354 | 19:55:11 |
| 16 Apr 2024 |
|  tlaurion aka Insurgo [ Timezone: ET ] changed their display name from Insurgo aka tlaurion [UTC-4:Processing backlog] to Insurgo aka tlaurion [UTC-4]. | 01:01:36 |
