Source: olm Version: 3.2.16+dfsg-2 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for olm. CVE-2024-45191[0]: | An issue was discovered in Matrix libolm (aka Olm) through 3.2.16. | The AES implementation is vulnerable to cache-timing attacks due to | use of S-boxes. This is related to software that uses a lookup table | for the SubWord step. NOTE: This vulnerability only affects products | that are no longer supported by the maintainer. CVE-2024-45192[1]: | An issue was discovered in Matrix libolm (aka Olm) through 3.2.16. | Cache-timing attacks can occur due to use of base64 when decoding | group session keys. NOTE: This vulnerability only affects products | that are no longer supported by the maintainer. CVE-2024-45193[2]: | An issue was discovered in Matrix libolm (aka Olm) through 3.2.16. | There is Ed25519 signature malleability due to lack of validation | criteria (does not ensure that S < n). NOTE: This vulnerability only | affects products that are no longer supported by the maintainer. Note, that olm as beeing deprecated won't fix these issue, instead the upstrem project commited: https://gitlab.matrix.org/matrix-org/olm/-/commit/6d4b5b07887821a95b144091c8497d09d377f985 Should src:olm be removed from Debian (unstable)? There will be broken reverse dependencies. Are they actually still usable for having in Debian as well? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45191 https://www.cve.org/CVERecord?id=CVE-2024-45191 [1] https://security-tracker.debian.org/tracker/CVE-2024-45192 https://www.cve.org/CVERecord?id=CVE-2024-45192 [2] https://security-tracker.debian.org/tracker/CVE-2024-45193 https://www.cve.org/CVERecord?id=CVE-2024-45193 Regards, Salvatore
