dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

olm: mark as vulnerable

Browse Source 
See <https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/>.
This commit is contained in:
Emily 2024-08-14 15:15:25 +01:00
parent 936b2614d4
commit e4767b4727
1 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
pkgs/development/libraries/olm/default.nix
View File

@ -27,5 +27,44 @@ stdenv.mkDerivation rec {
homepage = "https://gitlab.matrix.org/matrix-org/olm"; homepage = "https://gitlab.matrix.org/matrix-org/olm";
license = licenses.asl20; license = licenses.asl20;
maintainers = with maintainers; [ tilpner oxzi ]; maintainers = with maintainers; [ tilpner oxzi ];
knownVulnerabilities = [ ''
The libolm endtoend encryption library used in many Matrix
clients and Jitsi Meet has been deprecated upstream, and relies
on a cryptography library that has known sidechannel issues and
disclaims that its implementations are not cryptographically secure
and should not be used when cryptographic security is required.
It is not known that the issues can be exploited over the network in
practical conditions. Upstream has stated that the library should
not be used going forwards, and there are no plans to move to a
another cryptography implementation or otherwise further maintain
the library at all.
You should make an informed decision about whether to override this
security warning, especially if you critically rely on endtoend
encryption. If you dont care about that, or dont use the Matrix
functionality of a multiprotocol client depending on libolm,
then there should be no additional risk.
Some clients are investigating migrating away from libolm to maintained
libraries without known vulnerabilities.
For further information, see:
* The libolm deprecation notice:
<https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/README.md#important-libolm-is-now-deprecated>
* The warning from the cryptography code used by libolm:
<https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/lib/crypto-algorithms/README.md>
* The blog post disclosing the details of the known vulnerabilities:
<https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/>
* The Matrix.org project leads response to the disclosure:
<https://news.ycombinator.com/item?id=41249371>
* A (likely incomplete) aggregation of client tracking issue links:
<https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802>
'' ];
}; };
} }