diff --git a/pkgs/development/libraries/olm/default.nix b/pkgs/development/libraries/olm/default.nix index bb7553c2eb3e..f95574198710 100644 --- a/pkgs/development/libraries/olm/default.nix +++ b/pkgs/development/libraries/olm/default.nix @@ -27,5 +27,44 @@ stdenv.mkDerivation rec { homepage = "https://gitlab.matrix.org/matrix-org/olm"; license = licenses.asl20; maintainers = with maintainers; [ tilpner oxzi ]; + knownVulnerabilities = [ '' + The libolm end‐to‐end encryption library used in many Matrix + clients and Jitsi Meet has been deprecated upstream, and relies + on a cryptography library that has known side‐channel issues and + disclaims that its implementations are not cryptographically secure + and should not be used when cryptographic security is required. + + It is not known that the issues can be exploited over the network in + practical conditions. Upstream has stated that the library should + not be used going forwards, and there are no plans to move to a + another cryptography implementation or otherwise further maintain + the library at all. + + You should make an informed decision about whether to override this + security warning, especially if you critically rely on end‐to‐end + encryption. If you don’t care about that, or don’t use the Matrix + functionality of a multi‐protocol client depending on libolm, + then there should be no additional risk. + + Some clients are investigating migrating away from libolm to maintained + libraries without known vulnerabilities. + + For further information, see: + + * The libolm deprecation notice: + + + * The warning from the cryptography code used by libolm: + + + * The blog post disclosing the details of the known vulnerabilities: + + + * The Matrix.org project lead’s response to the disclosure: + + + * A (likely incomplete) aggregation of client tracking issue links: + + '' ]; }; }