Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/TomSellers/statuses/111128455743849089">Tom Sellers (tomsellers@infosec.exchange)'s status on Tuesday, 26-Sep-2023 23:56:11 JST</a><a href="https://infosec.exchange/@TomSellers" title="tomsellers@infosec.exchange"><img src="https://gnusocial.jp/avatar/179340-48-20240206221841.webp" width="48" height="48" alt="Tom Sellers" style="position: absolute; left: 0; top: 0;">Tom Sellers</a><div><a href="https://infosec.exchange/@TomSellers/111126352647377681" rel="in-reply-to">in reply to</a></div></section><article><p>In my earlier thread I should have recommended that folks be on the lookout for end of life(EoL) versions of Electron that are bundled with software that is itself updated to the latest version. I've observed a case where fully updated software was using Electron 22.x.x that isn't EoL yet, but will be  in 2 weeks. In those cases I strongly suggest you notify your vendor and, if it is paid software, pressure them to migrate to a supported version ASAP.</p><p>Note: There IS a patched version of 22.x.x which is 22.3.24.</p><p>Reference: <a href="https://www.electronjs.org/docs/latest/tutorial/electron-timelines" rel="nofollow noreferrer">https://www.electronjs.org/docs/latest/tutorial/electron-timelines</a></p><p><a href="https://infosec.exchange/tags/Security" rel="tag">#Security</a> <a href="https://infosec.exchange/tags/Electron" rel="tag">#Electron</a> <a href="https://infosec.exchange/tags/SBOM" rel="tag">#SBOM</a> <a href="https://infosec.exchange/tags/CVE20234863" rel="tag">#CVE20234863</a> <a href="https://infosec.exchange/tags/CVE" rel="tag">#CVE</a>-2023-4863 <a href="https://infosec.exchange/tags/CVE_2023_4863" rel="tag">#CVE_2023_4863</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2102750#notice-4134576">In conversation</a><time datetime="2023-09-26T23:56:11+09:00" title="Tuesday, 26-Sep-2023 23:56:11 JST">Tuesday, 26-Sep-2023 23:56:11 JST</time> <span>from <span><a href="https://infosec.exchange/@TomSellers/111128455743849089" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@TomSellers/111128455743849089">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/1571698">Screenshot of the Electron software end-of-life table. Of particular interest is that 23.0.0. is already EoL and 22.0.0 will go EoL on October 10, 2023.</a></label><br><a href="https://media.infosec.exchange/infosecmediaeu/media_attachments/files/111/128/421/161/251/171/original/e4d6a179a4883e8d.png" rel="external">https://media.infosec.exchange/infosecmediaeu/media_attachments/files/111/128/421/161/251/171/original/e4d6a179a4883e8d.png</a></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://www.electronjs.org/docs/latest/tutorial/electron-timelines#Security">Electron Releases | Electron</a></h5><div></div></header><div>Electron frequently releases major versions alongside every other Chromium release. This document focuses on the release cadence and version support policy. For a more in-depth guide on our git branches and how Electron uses semantic versions, check out our Electron Versioning doc.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Tom Sellers (tomsellers@infosec.exchange)'s status on Tuesday, 26-Sep-2023 23:56:11 JST Tom Sellers
in reply to
In my earlier thread I should have recommended that folks be on the lookout for end of life(EoL) versions of Electron that are bundled with software that is itself updated to the latest version. I've observed a case where fully updated software was using Electron 22.x.x that isn't EoL yet, but will be in 2 weeks. In those cases I strongly suggest you notify your vendor and, if it is paid software, pressure them to migrate to a supported version ASAP.
Note: There IS a patched version of 22.x.x which is 22.3.24.
Reference: https://www.electronjs.org/docs/latest/tutorial/electron-timelines
#Security #Electron #SBOM #CVE20234863 #CVE-2023-4863 #CVE_2023_4863
In conversationTuesday, 26-Sep-2023 23:56:11 JST from infosec.exchangepermalink
Attachments
1. Screenshot of the Electron software end-of-life table. Of particular interest is that 23.0.0. is already EoL and 22.0.0 will go EoL on October 10, 2023.
  https://media.infosec.exchange/infosecmediaeu/media_attachments/files/111/128/421/161/251/171/original/e4d6a179a4883e8d.png
2. No result found on File_thumbnail lookup.
  Electron Releases | Electron
  Electron frequently releases major versions alongside every other Chromium release. This document focuses on the release cadence and version support policy. For a more in-depth guide on our git branches and how Electron uses semantic versions, check out our Electron Versioning doc.

Public

Embed Notice

HTML Code

Corresponding Notice