olm: update vulnerability description

Additional information has been published by upstream about why they believe the vulnerability to not be exploitable over the network: https://matrix.org/blog/2024/08/libolm-deprecation/ This commit * updates the text of the vulnerability warning to indicate that upstream does not believe the issues to be exploitable over the network, and * adds a link to the blog post. Co-authored-by: Emily <hello@emily.moe> Signed-off-by: Sumner Evans <sumner.evans@automattic.com>
NixOS · Aug 28, 2024 · 40bf790 · 40bf790
1 parent 215ea74
commit 40bf790
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/pkgs/development/libraries/olm/default.nix b/pkgs/development/libraries/olm/default.nix
@@ -34,11 +34,11 @@ stdenv.mkDerivation rec {
       disclaims that its implementations are not cryptographically secure
       and should not be used when cryptographic security is required.
 
-      It is not known that the issues can be exploited over the network in
-      practical conditions. Upstream has stated that the library should
-      not be used going forwards, and there are no plans to move to a
-      another cryptography implementation or otherwise further maintain
-      the library at all.
+      It is not known if the issues can be exploited over the network in
+      practical conditions. Upstream does not believe such an attack is
+      feasible, but has stated that the library should not be used going
+      forward, and there are no plans to move to a another cryptography
+      implementation or otherwise further maintain the library at all.
 
       You should make an informed decision about whether to override this
       security warning, especially if you critically rely on end‐to‐end
@@ -70,6 +70,11 @@ stdenv.mkDerivation rec {
         project lead:
         <https://matrix.org/blog/2024/08/16/this-week-in-matrix-2024-08-16/#dept-of-encryption-closed-lock-with-key>
 
+      * A blog post about libolm's deprecation on the Matrix.org blog that also
+        explains why upstream believes the vulnerabilities are not exploitable
+        over the network:
+        <https://matrix.org/blog/2024/08/libolm-deprecation/>
+
       * A (likely incomplete) aggregation of client tracking issue links:
         <https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802>
     '' ];