Arch Linux 811 Published by

A telegram-desktop security update has been released for Arch Linux.



ASA-202107-45: telegram-desktop: content spoofing


Arch Linux Security Advisory ASA-202107-45
=========================================
Severity: Low
Date : 2021-07-20
CVE-ID : CVE-2021-36769
Package : telegram-desktop
Type : content spoofing
Remote : Yes
Link :   https://security.archlinux.org/AVG-2170

Summary
======
The package telegram-desktop before version 2.8.11-1 is vulnerable to
content spoofing.

Resolution
=========
Upgrade to 2.8.11-1.

# pacman -Syu "telegram-desktop>=2.8.11-1"

The problem has been fixed upstream in version 2.8.11.

Workaround
=========
None.

Description
==========
A reordering issue exists in Telegram Desktop before 2.8.8. An attacker
can cause the server to receive messages in a different order than they
were sent by a client.

Impact
=====
A man-in-the-middle attacker could reorder the messages sent by a
client, potentially altering the meaning of the conversation.

References
=========
  https://mtpsym.github.io/
  https://security.archlinux.org/CVE-2021-36769