[Pkg-matrix-maintainers] Bug#1079487: olm: CVE-2024-45191 CVE-2024-45192 CVE-2024-45193
Salvatore Bonaccorso
carnil at debian.org
Fri Aug 23 21:45:16 BST 2024
Source: olm
Version: 3.2.16+dfsg-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for olm.
CVE-2024-45191[0]:
| An issue was discovered in Matrix libolm (aka Olm) through 3.2.16.
| The AES implementation is vulnerable to cache-timing attacks due to
| use of S-boxes. This is related to software that uses a lookup table
| for the SubWord step. NOTE: This vulnerability only affects products
| that are no longer supported by the maintainer.
CVE-2024-45192[1]:
| An issue was discovered in Matrix libolm (aka Olm) through 3.2.16.
| Cache-timing attacks can occur due to use of base64 when decoding
| group session keys. NOTE: This vulnerability only affects products
| that are no longer supported by the maintainer.
CVE-2024-45193[2]:
| An issue was discovered in Matrix libolm (aka Olm) through 3.2.16.
| There is Ed25519 signature malleability due to lack of validation
| criteria (does not ensure that S < n). NOTE: This vulnerability only
| affects products that are no longer supported by the maintainer.
Note, that olm as beeing deprecated won't fix these issue, instead the
upstrem project commited:
https://gitlab.matrix.org/matrix-org/olm/-/commit/6d4b5b07887821a95b144091c8497d09d377f985
Should src:olm be removed from Debian (unstable)? There will be broken
reverse dependencies. Are they actually still usable for having in
Debian as well?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-45191
https://www.cve.org/CVERecord?id=CVE-2024-45191
[1] https://security-tracker.debian.org/tracker/CVE-2024-45192
https://www.cve.org/CVERecord?id=CVE-2024-45192
[2] https://security-tracker.debian.org/tracker/CVE-2024-45193
https://www.cve.org/CVERecord?id=CVE-2024-45193
Regards,
Salvatore
More information about the Pkg-matrix-maintainers
mailing list