nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-25 16:33:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

olm: update vulnerability description

Browse Source 
Additional information has been published by upstream about why they
believe the vulnerability to not be exploitable over the network:
https://matrix.org/blog/2024/08/libolm-deprecation/

This commit

* updates the text of the vulnerability warning to indicate that
  upstream does not believe the issues to be exploitable over the
  network, and
* adds a link to the blog post.

Co-authored-by: Emily <hello@emily.moe>
Signed-off-by: Sumner Evans <sumner.evans@automattic.com>
This commit is contained in:
Sumner Evans 2024-08-28 13:30:21 -06:00
parent 215ea7473f
commit 537d3c4b5a
No known key found for this signature in database
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
pkgs/development/libraries/olm/default.nix
View File

@ -34,11 +34,11 @@ stdenv.mkDerivation rec {
disclaims that its implementations are not cryptographically secure
and should not be used when cryptographic security is required.
It is not known that the issues can be exploited over the network in
practical conditions. Upstream has stated that the library should
not be used going forwards, and there are no plans to move to a
another cryptography implementation or otherwise further maintain
the library at all.
It is not known if the issues can be exploited over the network in
practical conditions. Upstream does not believe such an attack is
feasible, but has stated that the library should not be used going
forward, and there are no plans to move to a another cryptography
implementation or otherwise further maintain the library at all.
You should make an informed decision about whether to override this
security warning, especially if you critically rely on endtoend
@ -66,9 +66,9 @@ stdenv.mkDerivation rec {
* The blog post disclosing the details of the known vulnerabilities:
<https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/>
* The announcement in This Week in Matrix from the Matrix.org
project lead:
<https://matrix.org/blog/2024/08/16/this-week-in-matrix-2024-08-16/#dept-of-encryption-closed-lock-with-key>
* The statement about the deprecation and vulnerabilities from the
Matrix.org Foundation:
<https://matrix.org/blog/2024/08/libolm-deprecation/>
* A (likely incomplete) aggregation of client tracking issue links:
<https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802>