In case anyone’s interested, I did a quick bit of research into whether flatpaks I was running have fixed CVE-2023-4863, the recent 0-day in libwebp that was initially reported as a Chrome vulnerability but actually affects all sorts of stuff (anything that might have libwebp bundled or statically linked). Feel free to add your own!
- Element (im.riot.Riot): FIXED in 1.11.43, per upstream Changelog; 1.11.43 appeared in the flatpak last week and that’s the version number shown on Flathub
- Slack (com.slack.Slack): NOT FIXED. Upstream release notes indicate it’s likely fixed in 4.34.120, but the pull request to update the flatpak to that version is still pending
- Discord (com.discordapp.Discord):
- there was an update to version 0.0.30 four days ago, which seems promising, but Discord does not appear to provide release notes upstream or downstream, so who knows.