| 8 Apr 2024 |
 @mtheil:scs.ems.host | * Cherrypick/patch or wait? I'd wait. | 15:18:28 |
| @mtheil:scs.ems.host | Another reminder to drop support for 1.1.1, when possible :) | 15:19:00 |
 tgerbet | Envoy 1.27.4 (CVE-2024-30255) https://github.com/envoyproxy/envoy/releases/tag/v1.27.4
cc lukegb (he/him) (build is already kind of broken and only work thanks to caching of the deps :/ )
| 18:21:01 |
|  @a-n-n-a-l-e-e:matrix.org left the room. | 23:11:17 |
| 9 Apr 2024 |
 Find me at aleksana:qaq.li | The security researchers at exploit.org claimed they've found an RCE in Telegram Desktop's latest version (seems 4.16.1 at least), and updated a demonstration video targeting Windows build. Someone in the comment claimed they could not trigger the PoC in 4.16.4.
Original message:
Link: https://t.me/exploitorg/30
| 06:00:20 |
| Find me at aleksana:qaq.li | * The security researchers at exploit.org claimed they've found an RCE in Telegram Desktop's latest version (seems 4.16.1 at least), and updated a demonstration video targeting Windows build. Someone in the comment claimed they could not trigger the PoC in 4.16.4.
Original message:
SECURITY ALERT ⚠️
Possible RCE was detected in Telegram's media processing in Telegram Desktop application.
This issue expose users to malicious attacks through specially crafted media files, such as images or videos.
For security reasons disable auto-download feature. Please follow these steps:
1. Go to Settings.
2. Tap on "Advanced".
3. Under the "Automatic Media Download" section, disable auto-download for "Photos", "Videos", and "Files" across all chat types (Private chats, groups, and channels).
We are currently investigating this vulnerability.
Link: https://t.me/exploitorg/30
| 06:00:32 |
| Find me at aleksana:qaq.li | * The security researchers at exploit.org claimed they've found an RCE in Telegram Desktop's latest version (seems 4.16.1 at least), and updated a demonstration video targeting Windows build. Someone in the comment claimed they could not trigger the PoC in 4.16.4.
Currently 23.11 and unstable branch has 4.16.1, and master was updated to 4.16.4 yesterday.
Original message:
SECURITY ALERT ⚠️
Possible RCE was detected in Telegram's media processing in Telegram Desktop application.
This issue expose users to malicious attacks through specially crafted media files, such as images or videos.
For security reasons disable auto-download feature. Please follow these steps:
1. Go to Settings.
2. Tap on "Advanced".
3. Under the "Automatic Media Download" section, disable auto-download for "Photos", "Videos", and "Files" across all chat types (Private chats, groups, and channels).
We are currently investigating this vulnerability.
Link: https://t.me/exploitorg/30
| 06:01:09 |
|  Leo joined the room. | 12:26:57 |
| Find me at aleksana:qaq.li | * The security researchers at exploit.org claimed they've found an RCE in Telegram Desktop's latest version (seems 4.16.1 at least), and updated a demonstration video targeting Windows build. Someone in the comment claimed they could not trigger the PoC in 4.16.4. Currently 23.11 and unstable branch has 4.16.1, and master was updated to 4.16.4 yesterday. Original message: SECURITY ALERT ⚠️
Possible RCE was detected in Telegram's media processing in Telegram Desktop application.
This issue expose users to malicious attacks through specially crafted media files, such as images or videos.
For security reasons disable auto-download feature. Please follow these steps:
1. Go to Settings.
2. Tap on "Advanced".
3. Under the "Automatic Media Download" section, disable auto-download for "Photos", "Videos", and "Files" across all chat types (Private chats, groups, and channels).
We are currently investigating this vulnerability.
Link: https://t.me/exploitorg/30 Edit: telegram official said they could not find the vulnerability and the demonstration video is likely staged. https://twitter.com/telegram/status/1777677055837995151 | 12:50:10 |
|  SomeoneSerge (matrix works sometimes) changed their display name from SomeoneSerge (migrating synapse) to SomeoneSerge (void). | 13:24:35 |
|  @5m5z3q888q5prxkg:chat.lightnovel-dungeon.de changed their profile picture. | 23:12:29 |
|  djacu changed their profile picture. | 23:22:53 |
 lukegb (he/him) | Alas, I am travelling and don't really have time rn | 23:49:14 |
| 10 Apr 2024 |
 Moved to @sashanoraa:matrix.org | Redacted or Malformed Event | 04:55:35 |
|  svl joined the room. | 05:15:59 |
|  Tristan Ross joined the room. | 20:29:23 |
| Tristan Ross | https://github.com/YuriiCrimson/ExploitGSM/ anyone aware of this security vulnerability? | 20:29:46 |
 magic_rb | That repo looks extremely sus and the behavior of the author is also very weird | 20:33:21 |
| magic_rb | * That repo looks extremely sus and the behavior of the author is also very weird, lets follow up in #security-discuss:nixos.org if need be | 20:33:52 |
| Tristan Ross | Alright | 20:34:11 |
| 11 Apr 2024 |
|  NixOS Moderation Bot banned  @falaichte:techsaviours.org (<no reason supplied>). | 20:44:07 |
| 12 Apr 2024 |
|  @yuka:yuka.dev changed their profile picture. | 08:07:21 |
| Find me at aleksana:qaq.li | * The security researchers at exploit.org claimed they've found an RCE in Telegram Desktop's latest version (seems 4.16.1 at least), and updated a demonstration video targeting Windows build. Someone in the comment claimed they could not trigger the PoC in 4.16.4. Currently 23.11 and unstable branch has 4.16.1, and master was updated to 4.16.4 yesterday. Original message: SECURITY ALERT ⚠️
Possible RCE was detected in Telegram's media processing in Telegram Desktop application.
This issue expose users to malicious attacks through specially crafted media files, such as images or videos.
For security reasons disable auto-download feature. Please follow these steps:
1. Go to Settings.
2. Tap on "Advanced".
3. Under the "Automatic Media Download" section, disable auto-download for "Photos", "Videos", and "Files" across all chat types (Private chats, groups, and channels).
We are currently investigating this vulnerability.
Link: https://t.me/exploitorg/30 Edit: telegram official said they could not find the vulnerability and the demonstration video is likely staged. https://twitter.com/telegram/status/1777677055837995151 Edit again: RCE confirmed but not zero-click. The user have to click a file that appear to be video files. Affected versions are 4.16.0 to 4.16.6. | 11:24:06 |
 hexa | https://www.openwall.com/lists/oss-security/2024/04/12/11 | 20:46:12 |
| hexa | * https://www.openwall.com/lists/oss-security/2024/04/12/11 php | 20:46:32 |
| hexa | ma27 | 20:48:00 |
 ma27 | huh, nobody was faster?
fine, on it. | 20:48:50 |
| ma27 | https://github.com/NixOS/nixpkgs/pull/303711 | 21:05:00 |
| 13 Apr 2024 |
|  ⛧-440729 [sophie raven] (it/its) changed their display name from Sophie to sophie. | 08:27:37 |
| tgerbet | https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_10.html
cc emily
| 11:06:14 |
