Outdated/Vulnerable Electron
frankm773 opened this issue · comments
Wire version: 3.26.2941
Wire for Web Version 2022.02.22.08.56 (Any)
Operating system: Linux (Any)
Which antivirus software do you have installed: none
What steps will reproduce the problem?
The issue:
The current wire-desktop release is using a very old version of electron with a large number of CVEs
Even the current git version uses electron 13.6.7 (current version is 13.6.9) which includes several CVEs
While not all CVEs may be exploitable in the case of wire-desktop, it would take significant research to confirm any single CVE is not exploitable and the recommended security practice is to keep all dependencies updated.
As it stands now wire-desktop has several hundred unfixed vulnerabilities (with official CVE numbers) due to outdated electron and can not be considered secure to operate.
What is the expected result?
The wire-desktop app should receive regular updates to keep up with the current release version of electron.
Alternatively wire-desktop should be marked as unsupported due to lack of development/maintenance
What is the actual result?
Wire-desktop includes a large number of vulnerabilities from outdated dependencies.
(There is not a single common security compliance framework that would allow an enterprise to use wire-desktop in production environments as a consequence)
@frankm773 the latest 3.27.2944 Linux release should come with Electron 13.6.9, which should be the latest v13.x release. Can you take a look?
@frankm773 the latest 3.27.2944 Linux release should come with Electron 13.6.9, which should be the latest v13.x release. Can you take a look?
It seems to be fixed for now, though its still a very old version of electron instead of the current v19
We are now updated to Electron 19 and have closed many open dependencies. Thanks!