Armcord 3.2.4 still uses vulnerable Electron 26.1.0

[LudovicoPiero]

Describe the bug
Latest Release still using the vulnerable Electron 26.1.0

Additional context
For more info, check NixOS/nixpkgs#254798 (comment)

[smartfrigde]

There's a unstable release with Electron 27 Beta 2 which appears to patch it according to change logs. I'm waiting for a stable E27 release first for it to be on a stable tag

[tazz4843]

I feel like stability should quite frankly be thrown out the window here. This is a dead easy exploit to use, and all it takes is a few script kiddies before someone's device is done for. I guarantee there will be script kiddies posting this all over Discord within days.

[Vendicated]

Discord is most likely inherently not affected because all images are proxied through their media proxy which re-encodes images anyway

In any case, a bump from 26.1.0 to 26.2.1 would still be very good to fix the vulnerability, to reduce the impact of things that could potentially happen like Discord having another XSS

[Phoenix616]

26.2.1 indeed updated Chromium to a fixed version so this should be a very minor update and not requiring a wait for 27. (Without this update one should not trust this application. Even though Discord might re-encode uploaded files there are a couple other places one can easily imagine where images are displayed directly and not from Discord's servers...)

[taukakao]

This is not relevant anymore.