(In reply to Kai Engert (:KaiE:) from comment #20)
Patrick and Tom, if I understand correctly, CVE-2021-44538 has been assigned to the issue in the library.
This is correct, it is the CVE assigned to libolm.
Do we need a separate CVE for Thunderbird?
If you think that the Thunderbird release notes should mention that we have fixed the issue in TB, then I think we need a separate CVE, right?
I do not know how this process usually works. I defer to whatever we usually do for CVEs in other packages which affect us.
Should we copy the advisory text, or is there anything we should mention that is specific to Thunderbird?
The only specific to mention about Thunderbird is that it could only affect user if you have a Matrix account configured.
(In reply to Kai Engert (:KaiE:) from comment #21)
Patrick, which security rating should this bug get, based on the categories here?
low, medium, high or critical?
Reading through those I think it should probably be medium as the disclosure says it is not exploitable, or maybe low since there isn't any leak of information due to it? (Note that the predisclosure calls it "high severity" but there's no documented system for Matrix to assign low/medium/high so it is hard to know how they came up with that description).