[Pkg-matrix-maintainers] Bug#1079487: olm: CVE-2024-45191 CVE-2024-45192 CVE-2024-45193
Hubert Chathi
uhoreg at debian.org
Sat Aug 31 00:53:58 BST 2024
severity 1079487 important
Thanks for filing this bug report.
(Full disclosure: I am employed by Element to work on Matrix software,
and am part of the cryptography team at Element.)
The Matrix.org foundation published a blog post about the
vulnerabilities and the libolm deprecation:
https://matrix.org/blog/2024/08/libolm-deprecation/ Of note: the blog
indicates that the vulnerabilities are not believed to be practically
exploitable, so:
On Fri, 23 Aug 2024 22:45:16 +0200, Salvatore Bonaccorso <carnil at debian.org> said:
...
> Should src:olm be removed from Debian (unstable)?
I don't think that it needs to be removed.
> There will be broken reverse dependencies. Are they actually still
> usable for having in Debian as well?
Yes. Nheko and NeoChat are Matrix clients that are still being actively
developed. They may switch to vodozemac (the Rust implementation of the
Olm/Megolm protocols, that does not have these vulnerabilities) in the
future, but for now, libolm is still useful.
I've dropped the severity of this bug to "important" for now. If the
security team disagrees, they can change the severity.
--
Hubert Chathi <uhoreg at debian.org> -- https://www.uhoreg.ca/
Jabber: hubert at uhoreg.ca -- Matrix: @uhoreg:matrix.org
PGP/GnuPG key: 4096R/F24C F749 6C73 DDB8 DCB8 72DE B2DE 88D3 113A 1368
More information about the Pkg-matrix-maintainers
mailing list