severity 1079487 important Thanks for filing this bug report.
(Full disclosure: I am employed by Element to work on Matrix software, and am part of the cryptography team at Element.) The Matrix.org foundation published a blog post about the vulnerabilities and the libolm deprecation: https://matrix.org/blog/2024/08/libolm-deprecation/ Of note: the blog indicates that the vulnerabilities are not believed to be practically exploitable, so: On Fri, 23 Aug 2024 22:45:16 +0200, Salvatore Bonaccorso <car...@debian.org> said: ... > Should src:olm be removed from Debian (unstable)? I don't think that it needs to be removed. > There will be broken reverse dependencies. Are they actually still > usable for having in Debian as well? Yes. Nheko and NeoChat are Matrix clients that are still being actively developed. They may switch to vodozemac (the Rust implementation of the Olm/Megolm protocols, that does not have these vulnerabilities) in the future, but for now, libolm is still useful. I've dropped the severity of this bug to "important" for now. If the security team disagrees, they can change the severity. -- Hubert Chathi <uho...@debian.org> -- https://www.uhoreg.ca/ Jabber: hub...@uhoreg.ca -- Matrix: @uhoreg:matrix.org PGP/GnuPG key: 4096R/F24C F749 6C73 DDB8 DCB8 72DE B2DE 88D3 113A 1368
