Jitsi-meet: Fake news in Spain police saying that a bug from Jitsi (already solved) makes it unsecure
Hello and sorry
I didn't know were to report. I choose security because they are lying about your security and making people not to want to use Jitsi. They also talk about Zoom. The new is from yesterday.
The police from Catalunya, the Spanish area where Barcelona is, has spread the new all over. The new is in Catalan. I put the link
https://mossos.gencat.cat/ca/temes/Internet-xarxes-socials-i-aplicacions/aplicacions-de-videoconferencies/
and you can read with free sofware translator Apertium
https://www.apertium.org/index.eng.html?dir=cat-eng&qP=https%3A%2F%2Fmossos.gencat.cat%2Fca%2Ftemes%2FInternet-xarxes-socials-i-aplicacions%2Faplicacions-de-videoconferencies%2F#webpageTranslation
They talk about the vulnerability CVE-2017-5603 from 09/02/2017 and corrected 12/02/2017
https://nvd.nist.gov/vuln/detail/CVE-2017-5603
Different base groups in Spain we have made a lot of diffusion and many people is very happy with Jitsi and now they are calling and writing us worried. Could your legal services put in contact with them and ask to rectify?
Thanks a lot for the tool and for any support on this subject
rosa2
All 16 comments
The CVE is "XEP-0280: Message Carbons", which is not used in jitsi-meet and on meet.jit.si and as the report says it affects only jitsi-desktop.
damencho
on 9 Apr 2020
And as the CVE points this is the commit that fixed it https://github.com/jitsi/jitsi/commit/7d66da61b316c9480b63000f831b6de723b87315 which is version 5545 and the stable release for Jitsi Desktop is 5550. So this vulnerability is addressed and fixed more than 3 years ago :)
I will forward your report. Thanks for that.
damencho
on 9 Apr 2020
Thanks a lot for the heads up @rosa2 some of my friends also contacted me about it. We have replied on Twitter: https://twitter.com/jitsinews/status/1248325075079761926 since the web form has like 50 fields :-/
saghul
on 9 Apr 2020
But police take more into account a lawyer and from a company better. Because of that, I recommend to use that :)
Super that I write this in the right place :)
rosa2
on 9 Apr 2020
Maybe you can write to here https://mossos.gencat.cat/ca/comunicacio/contacte2/ that is the place were they published. And ask for a public correction because many users are writing to you and that you don't want to have to use a lawyer or go to trial :P
rosa2
on 9 Apr 2020
By the way the government is making a new lay because of fake news with Coronavirus. The mossos will not want to be know for spreading fake news, will they? XDDDD
rosa2
on 9 Apr 2020
The mossos have Facebook, but didn't publish it. https://www.facebook.com/mossoscat
A Catalan newspaper did it. It is not very big, but maybe you can contact it https://www.diarimes.com/noticies/actualitat/2020/04/09/detecten_vulnerabilitat_les_aplicacions_videoconferencia_zoom_jitsi_80131_1095.html It has comments if you want to use them.
Maybe tomorrow there will be more. I will search in the evening here.
rosa2
on 9 Apr 2020
Please, ask them to rectify. More emails coming from people worried :(
rosa2
on 10 Apr 2020
They have removed the page.
saghul
on 10 Apr 2020
Thanks again for the heads up! I just tweeted at Diari Mes as well.
saghul
on 10 Apr 2020
I see that you have seen also La Vanguardia, the main newspaper in Catalunya.
I only want to say that I am the communicator, but my report was done by the Catalan community. I only was bold enough to write it here.
Eskerrik asko @saghul and the whole team ;)
Tomorrow I will search tvs just in case. If I don't say anything, it is because they didn't transmit it. Also we are making diffusion in our nets with your new.
rosa2
on 10 Apr 2020
One friend just told to me that in the news in TV3, the main tv in Catalunya, talk about the new, then showed you correcting and the mossos deleting the new. Great!
rosa2
on 10 Apr 2020
Thank you so much for your help. We are now receiving tons of traffic in all directions and could've missed it otherwise. You really did help. Ez dago zergatik! :-)
I'm going to go ahead and close this since it seems the message made it through.
saghul
on 10 Apr 2020
Other big media reproduced the fake news:
I asked to remove the post in the comments. Let's see what happens.
Thanks a lot for the great work done.
marcbria
on 12 Apr 2020
Other big media reproduced the fake news:
I asked to remove the post in the comments. Let's see what happens.
Thanks a lot for the great work done.
I friend of mine wrote an email to the newspaper that same day they published it and they returned the email because the inbox was full. That it is not normal. I can't know if it is because many wrote about it, since many of us were very worried.
The new on TV3 was after La Vanguardia.
It will be good that La Vanguardia takes away the new because people can find it when searching about Jitsi in Spanish, that includes also people from all Latin America and they may not see the comments.
rosa2
on 13 Apr 2020
This morning, after Eastern holidays, I got an email from an association with 20 workers that I work for as a freelance and whom I taught Jitsi. They ask to me for an alternative to Jitsi because they got emails from people telling them that Jitsi is not secure and the mossos new. They didn't read your news about this. TV3 is Catalan speaking television and many people that speaks Spanish didn't listen it. I really think you have to make something about La Vanguardia and mossos. We need them to rectify publicly. Please :) Think that none of the 20 workers knew about the rectification.
I asked them to reply to that people with the explanation that I gave to them with your new and tweets, but I am very worried.
rosa2
on 14 Apr 2020
Related issues
rscastil
路
44Comments
kinnla
路
40Comments
niallmurphy-ie
路
45Comments
quantumbeat
路
68Comments
andres934
路
54Comments
Most helpful comment
One friend just told to me that in the news in TV3, the main tv in Catalunya, talk about the new, then showed you correcting and the mossos deleting the new. Great!