[Pkg-rust-maintainers] Bug#1057096: rust-rsa: CVE-2023-49092: RUSTSEC-2023-0071: Marvin Attack: potential key recovery through timing sidechannels
Salvatore Bonaccorso
carnil at debian.org
Wed Nov 29 16:27:15 GMT 2023
Source: rust-rsa
Version: 0.9.2-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for rust-rsa.
CVE-2023-49092[0]:
| RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to
| a non-constant-time implementation, information about the private
| key is leaked through timing information which is observable over
| the network. An attacker may be able to use that information to
| recover the key. There is currently no fix available. As a
| workaround, avoid using the RSA crate in settings where attackers
| are able to observe timing information, e.g. local use on a non-
| compromised computer.
TTBOMK no fix is yet available at time of writing.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-49092
https://www.cve.org/CVERecord?id=CVE-2023-49092
[1] https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr
[2] https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643
[3] https://rustsec.org/advisories/RUSTSEC-2023-0071.html
[4] https://people.redhat.com/~hkario/marvin/
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list