From 537d3c4b5a34815dca0d8b83cb3e379a9e1fa2a9 Mon Sep 17 00:00:00 2001 From: Sumner Evans Date: Wed, 28 Aug 2024 13:30:21 -0600 Subject: [PATCH] olm: update vulnerability description Additional information has been published by upstream about why they believe the vulnerability to not be exploitable over the network: https://matrix.org/blog/2024/08/libolm-deprecation/ This commit * updates the text of the vulnerability warning to indicate that upstream does not believe the issues to be exploitable over the network, and * adds a link to the blog post. Co-authored-by: Emily Signed-off-by: Sumner Evans --- pkgs/development/libraries/olm/default.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pkgs/development/libraries/olm/default.nix b/pkgs/development/libraries/olm/default.nix index 3fda0206ace57..f0a6c47d4ca72 100644 --- a/pkgs/development/libraries/olm/default.nix +++ b/pkgs/development/libraries/olm/default.nix @@ -34,11 +34,11 @@ stdenv.mkDerivation rec { disclaims that its implementations are not cryptographically secure and should not be used when cryptographic security is required. - It is not known that the issues can be exploited over the network in - practical conditions. Upstream has stated that the library should - not be used going forwards, and there are no plans to move to a - another cryptography implementation or otherwise further maintain - the library at all. + It is not known if the issues can be exploited over the network in + practical conditions. Upstream does not believe such an attack is + feasible, but has stated that the library should not be used going + forward, and there are no plans to move to a another cryptography + implementation or otherwise further maintain the library at all. You should make an informed decision about whether to override this security warning, especially if you critically rely on end‐to‐end @@ -66,9 +66,9 @@ stdenv.mkDerivation rec { * The blog post disclosing the details of the known vulnerabilities: - * The announcement in This Week in Matrix from the Matrix.org - project lead: - + * The statement about the deprecation and vulnerabilities from the + Matrix.org Foundation: + * A (likely incomplete) aggregation of client tracking issue links: