Jitsi-Meet flagged insecure

TuotHash · February 25, 2026, 9:12pm

So I wanted to set up a jitsi-meet server for myself, when the rebuild failed with a warning that the package for jitsi-meet is insecure.

error: Package ‘jitsi-meet-1.0.8792’ in /nix/store/00jyv3p5ixqjdamk8lbszk0nmdy4y1zw-nixos-25.11/nixos/pkgs/by-name/ji/jitsi-meet/package.nix:59 is marked as insecure, refusing to evaluate.

Investigating the package I saw it is declared as 1.0.8792 which should be interpreted as this, by the nix configuration. The insecure flagging most likely comes because of this older package, which is also called 8792.

After investigating some more, it seems the naming scheme of jitsi is kind of messed up and also there is a v2/stable release line and I can’t wrap my head around it.

To me it seems like the nix package is falsely flagged as insecure.

magicquark · February 25, 2026, 11:42pm

The insecure flagging is because of the use of olm.

Here is where the vulnerabilities are declared in the package.

The vulnerabilities are documented here.

magicquark · February 25, 2026, 11:48pm

The version = "1.0.8792"; gets converted into the tag like so tag = lib.last (lib.splitVersion finalAttrs.version);. So it should be using 8792 as the tag, which looks correct to me.

waffle8946 · February 26, 2026, 12:05am

Yeah the tag is irrelevant, as long as libolm is still in use. And it is.

github.com/jitsi/jitsi-meet

app.js

a6422882d


      
          /* Jitsi Meet app main entrypoint. */
          
          // Re-export jQuery
          // FIXME: Remove this requirement from torture tests.
          import $ from 'jquery';
          
          window.$ = window.jQuery = $;
          
          import '@matrix-org/olm';
          
          import 'focus-visible';
          
          /*
          * Safari polyfill for createImageBitmap
          * https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/createImageBitmap
          *
          * Support source image types: Canvas.
          */
          if (!('createImageBitmap' in window)) {

See below for context.

github.com/NixOS/nixpkgs

olm: add more information to `knownVulnerabilities`

master ← emilazy:push-lnwmxoqyymyt

opened 06:12PM - 23 Aug 24 UTC

emilazy

+9 -2

## Description of changes CVE numbers were assigned, and This Week in Matrix …included an announcement from the Matrix.org project lead. An official post from the Matrix.org Foundation is apparently still pending. ## Things done - Built on platform(s) - [ ] x86_64-linux - [ ] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin - For non-Linux: Is sandboxing enabled in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - [ ] `sandbox = relaxed` - [ ] `sandbox = true` - [ ] Tested, as applicable: - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - and/or [package tests](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests) - or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test) - made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage) - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`) - [24.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) (or backporting [23.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) and [24.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2405.section.md) Release notes) - [ ] (Package updates) Added a release notes entry if the change is major or breaking - [ ] (Module updates) Added a release notes entry if the change is significant - [ ] (Module addition) Added a release notes entry if adding a new NixOS module - [x] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md). --- Add a :+1: [reaction] to [pull requests you find important]. [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [pull requests you find important]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc

github.com/NixOS/nixpkgs

olm: mark as vulnerable

master ← emilazy:push-twxurolyowvm

opened 02:24PM - 14 Aug 24 UTC

emilazy

+47 -1

## Description of changes See <https://soatok.blog/2024/08/14/security-issues…-in-matrixs-olm-library/>. ## Things done - Built on platform(s) - [ ] x86_64-linux - [ ] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin - For non-Linux: Is sandboxing enabled in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - [ ] `sandbox = relaxed` - [ ] `sandbox = true` - [ ] Tested, as applicable: - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - and/or [package tests](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests) - or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test) - made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage) - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`) - [24.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) (or backporting [23.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) and [24.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2405.section.md) Release notes) - [ ] (Package updates) Added a release notes entry if the change is major or breaking - [ ] (Module updates) Added a release notes entry if the change is significant - [ ] (Module addition) Added a release notes entry if adding a new NixOS module - [x] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md). --- Add a :+1: [reaction] to [pull requests you find important]. [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [pull requests you find important]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc

TuotHash · February 26, 2026, 10:14am

What I wasn‘t understanding is how this is still used when vulnerable for so long (CVE-2024-45191)

But it seems the way it is implemented in jitsi-meet, it doesn‘t let the vulnerability be exploited.

But now it‘s annoying I have to allow an unsecure package.

I‘m not sure what the point here is, but I think there is one…

magicquark · February 26, 2026, 10:49am

This is the justification given by upstream.