[Pkg-matrix-maintainers] Bug#1079487: olm: CVE-2024-45191 CVE-2024-45192 CVE-2024-45193
Moritz Mühlenhoff
jmm at inutil.org
Sun Sep 1 20:55:23 BST 2024
On Fri, Aug 30, 2024 at 07:53:58PM -0400, Hubert Chathi wrote:
> severity 1079487 important
>
> Thanks for filing this bug report.
>
> (Full disclosure: I am employed by Element to work on Matrix software,
> and am part of the cryptography team at Element.)
>
> The Matrix.org foundation published a blog post about the
> vulnerabilities and the libolm deprecation:
> https://matrix.org/blog/2024/08/libolm-deprecation/ Of note: the blog
> indicates that the vulnerabilities are not believed to be practically
> exploitable, so:
Thanks, I've updated the Debian Security Tracker to mark these as ignored,
along with a reference to the https://matrix.org/blog/2024/08/libolm-deprecation
blog post.
> Yes. Nheko and NeoChat are Matrix clients that are still being actively
> developed. They may switch to vodozemac (the Rust implementation of the
> Olm/Megolm protocols, that does not have these vulnerabilities) in the
> future, but for now, libolm is still useful.
>
> I've dropped the severity of this bug to "important" for now. If the
> security team disagrees, they can change the severity.
Ack, let's simply keep these open to the point where no reverse deps
of libolm are left (at which it can be removed from the archive).
Cheers,
Moritz
More information about the Pkg-matrix-maintainers
mailing list