Regarding the newly discovered vulnerability in matrix clients and libraries.
The Problem Hi! Per https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing , nheko <=0.8.2 is vulnerable to those vulnerabilities, and there isn't any new release that I could find...
TL;DR, 0.8.2 shouldn't be trusted for secure communication anyway, which is why we have a few big warnings in various places.
Copying the security announcement I made in the Nheko room: Security vulnerability when resharing encryption keys Affected versions
undefined
Latest stable release in a very limited manner. No security patch will be provided, details below.
Current master branch and nightlies. If you update now, you should get a fix for it.
Details on the vulnerability
Devices in a room are identified by a device id. Nheko uses this id to keep track of which devices it should reshare keys to, if a device rerequests them. Because the device id is a user/server defined string, this is not enough to authenticate, that you are actually talking to the same device. For this reason Nheko keeps track of the curve25519 and ed25519 keys of each device in a room and disallows a different device to claim the same keys or the same device id.
This logic seems to work fine, although it coul