olm: update vulnerability description

Additional information has been published by upstream about why they believe the vulnerability to not be exploitable over the network: https://matrix.org/blog/2024/08/libolm-deprecation/ This commit * updates the text of the vulnerability warning to indicate that upstream does not believe the issues to be exploitable over the network, and * adds a link to the blog post. Co-authored-by: Emily <[email protected]> Signed-off-by: Sumner Evans <[email protected]>
NixOS · Aug 28, 2024 · 537d3c4 · 537d3c4
1 parent 215ea74
commit 537d3c4
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/pkgs/development/libraries/olm/default.nix b/pkgs/development/libraries/olm/default.nix
@@ -34,11 +34,11 @@ stdenv.mkDerivation rec {
       disclaims that its implementations are not cryptographically secure
       and should not be used when cryptographic security is required.
 
-      It is not known that the issues can be exploited over the network in
-      practical conditions. Upstream has stated that the library should
-      not be used going forwards, and there are no plans to move to a
-      another cryptography implementation or otherwise further maintain
-      the library at all.
+      It is not known if the issues can be exploited over the network in
+      practical conditions. Upstream does not believe such an attack is
+      feasible, but has stated that the library should not be used going
+      forward, and there are no plans to move to a another cryptography
+      implementation or otherwise further maintain the library at all.
 
       You should make an informed decision about whether to override this
       security warning, especially if you critically rely on end‐to‐end
@@ -66,9 +66,9 @@ stdenv.mkDerivation rec {
       * The blog post disclosing the details of the known vulnerabilities:
         <https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/>
 
-      * The announcement in This Week in Matrix from the Matrix.org
-        project lead:
-        <https://matrix.org/blog/2024/08/16/this-week-in-matrix-2024-08-16/#dept-of-encryption-closed-lock-with-key>
+      * The statement about the deprecation and vulnerabilities from the
+        Matrix.org Foundation:
+        <https://matrix.org/blog/2024/08/libolm-deprecation/>
 
       * A (likely incomplete) aggregation of client tracking issue links:
         <https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802>