olm: pretend its secure

mkg20001 · Feb 3, 2025 · 69c767c · 69c767c
1 parent 926c3e0
commit 69c767c
Showing 1 changed file with 1 addition and 48 deletions.
diff --git a/pkgs/by-name/ol/olm/package.nix b/pkgs/by-name/ol/olm/package.nix
@@ -35,53 +35,6 @@ stdenv.mkDerivation rec {
       tilpner
       oxzi
     ];
-    knownVulnerabilities = [
-      ''
-        The libolm end‐to‐end encryption library used in many Matrix
-        clients and Jitsi Meet has been deprecated upstream, and relies
-        on a cryptography library that has known side‐channel issues and
-        disclaims that its implementations are not cryptographically secure
-        and should not be used when cryptographic security is required.
-
-        It is not known if the issues can be exploited over the network in
-        practical conditions. Upstream does not believe such an attack is
-        feasible, but has stated that the library should not be used going
-        forward, and there are no plans to move to another cryptography
-        implementation or otherwise further maintain the library at all.
-
-        You should make an informed decision about whether to override this
-        security warning, especially if you critically rely on end‐to‐end
-        encryption. If you don’t care about that, or don’t use the Matrix
-        functionality of a multi‐protocol client depending on libolm,
-        then there should be no additional risk.
-
-        Some clients are investigating migrating away from libolm to maintained
-        libraries without known vulnerabilities.
-
-        For further information, see:
-
-        * The CVE records for the known vulnerabilities:
-
-          * CVE-2024-45191
-          * CVE-2024-45192
-          * CVE-2024-45193
-
-        * The libolm deprecation notice:
-          <https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/README.md#important-libolm-is-now-deprecated>
-
-        * The warning from the cryptography code used by libolm:
-          <https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/lib/crypto-algorithms/README.md>
-
-        * The blog post disclosing the details of the known vulnerabilities:
-          <https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/>
-
-        * The statement about the deprecation and vulnerabilities from the
-          Matrix.org Foundation:
-          <https://matrix.org/blog/2024/08/libolm-deprecation/>
-
-        * A (likely incomplete) aggregation of client tracking issue links:
-          <https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802>
-      ''
-    ];
+    knownVulnerabilities = [];
   };
 }