This project contains known security vulnerabilities . Find detailed information at the bottom .
Crate base16ct
No external dependencies! 🙌
Crate base32ct
Dev dependencies (2 total, 1 outdated)
Crate Required Latest Status base32 ^0.4
0.4.0
up to date proptest =1.2.0
1.4.0
out of date
Crate base64ct
Dev dependencies (2 total, 1 outdated)
Crate Required Latest Status base64 ^0.22
0.22.1
up to date proptest =1.2.0
1.4.0
out of date
Crate cmpv2
Dependencies (4 total, 2 outdated)
Crate Required Latest Status crmf =0.3.0-pre
0.2.0
out of date der =0.8.0-pre.0
0.7.9
up to date spki =0.8.0-pre.0
0.7.3
up to date x509-cert =0.3.0-pre
0.2.5
out of date
Dev dependencies (2 total, all up-to-date)
Crate cms
Dependencies (13 total, 2 outdated, 1 insecure)
Crate Required Latest Status der =0.8.0-pre.0
0.7.9
up to date spki =0.8.0-pre.0
0.7.3
up to date x509-cert =0.3.0-pre
0.2.5
out of date const-oid =0.10.0-pre.2
0.9.6
up to date aes =0.9.0-pre
0.8.4
up to date cbc =0.2.0-pre
0.1.2
out of date cipher =0.5.0-pre.4
0.4.4
up to date rsa ⚠️ =0.10.0-pre.1
0.9.6
insecure sha1 =0.11.0-pre.3
0.10.6
up to date sha2 =0.11.0-pre.3
0.10.8
up to date sha3 =0.11.0-pre.3
0.10.8
up to date signature =2.3.0-pre.3
2.2.0
up to date zeroize ^1.6.0
1.7.0
up to date
Dev dependencies (8 total, 1 insecure)
Crate Required Latest Status getrandom ^0.2
0.2.14
up to date hex-literal ^0.4
0.4.1
up to date pem-rfc7468 =1.0.0-pre.0
0.7.0
up to date pkcs5 =0.8.0-pre.0
0.7.1
up to date rand ^0.8.5
0.8.5
up to date rsa ⚠️ =0.10.0-pre.1
0.9.6
insecure ecdsa =0.17.0-pre.5
0.16.9
up to date p256 =0.14.0-pre.0
0.13.2
up to date
Crate const-oid
Dependencies (1 total, all up-to-date)
Crate Required Latest Status arbitrary ^1.2
1.3.2
up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status hex-literal ^0.4
0.4.1
up to date
Crate crmf
Dependencies (4 total, 2 outdated)
Crate Required Latest Status cms =0.3.0-pre
0.2.3
out of date der =0.8.0-pre.0
0.7.9
up to date spki =0.8.0-pre.0
0.7.3
up to date x509-cert =0.3.0-pre
0.2.5
out of date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status const-oid =0.10.0-pre.2
0.9.6
up to date
Crate der
Dependencies (8 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate der_derive
Dependencies (3 total, all up-to-date)
Crate Required Latest Status proc-macro2 ^1
1.0.81
up to date quote ^1
1.0.36
up to date syn ^2
2.0.60
up to date
Crate gss-api
Dependencies (3 total, 1 outdated)
Crate Required Latest Status der =0.8.0-pre.0
0.7.9
up to date spki =0.8.0-pre.0
0.7.3
up to date x509-cert =0.3.0-pre
0.2.5
out of date
Dev dependencies (3 total, 1 outdated)
Crate Required Latest Status der =0.8.0-pre.0
0.7.9
up to date hex-literal ^0.4
0.4.1
up to date x509-cert =0.3.0-pre
0.2.5
out of date
Crate pem-rfc7468
Dependencies (1 total, all up-to-date)
Crate Required Latest Status base64ct ^1.4
1.6.0
up to date
Crate pkcs1
Dependencies (3 total, all up-to-date)
Crate Required Latest Status der =0.8.0-pre.0
0.7.9
up to date spki =0.8.0-pre.0
0.7.3
up to date pkcs8 =0.11.0-pre.0
0.10.2
up to date
Dev dependencies (3 total, all up-to-date)
Crate pkcs5
Dependencies (10 total, 1 outdated)
Crate Required Latest Status der =0.8.0-pre.0
0.7.9
up to date spki =0.8.0-pre.0
0.7.3
up to date cbc =0.2.0-pre
0.1.2
out of date aes =0.9.0-pre
0.8.4
up to date des =0.9.0-pre.0
0.8.1
up to date pbkdf2 =0.13.0-pre.0
0.12.2
up to date rand_core ^0.6.4
0.6.4
up to date scrypt =0.12.0-pre.0
0.11.0
up to date sha1 =0.11.0-pre.3
0.10.6
up to date sha2 =0.11.0-pre.3
0.10.8
up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status hex-literal ^0.4
0.4.1
up to date
Crate pkcs8
Dependencies (5 total, all up-to-date)
Crate Required Latest Status der =0.8.0-pre.0
0.7.9
up to date spki =0.8.0-pre.0
0.7.3
up to date rand_core ^0.6
0.6.4
up to date pkcs5 =0.8.0-pre.0
0.7.1
up to date subtle ^2
2.5.0
up to date
Dev dependencies (2 total, all up-to-date)
Crate pkcs12
Dependencies (7 total, 2 outdated)
Crate Required Latest Status der =0.8.0-pre.0
0.7.9
up to date spki =0.8.0-pre.0
0.7.3
up to date x509-cert =0.3.0-pre
0.2.5
out of date const-oid =0.10.0-pre.2
0.9.6
up to date cms =0.3.0-pre
0.2.3
out of date digest ^0.11.0-pre.8
0.10.7
up to date zeroize ^1.6.0
1.7.0
up to date
Dev dependencies (5 total, all up-to-date)
Crate Required Latest Status hex-literal ^0.4
0.4.1
up to date pkcs8 =0.11.0-pre.0
0.10.2
up to date pkcs5 =0.8.0-pre.0
0.7.1
up to date sha2 =0.11.0-pre.3
0.10.8
up to date whirlpool =0.11.0-pre.2
0.10.4
up to date
Crate sec1
Dependencies (7 total, all up-to-date)
Crate Required Latest Status base16ct ^0.2
0.2.0
up to date der =0.8.0-pre.0
0.7.9
up to date hybrid-array ^0.2.0-rc.8
0.1.0
up to date pkcs8 =0.11.0-pre.0
0.10.2
up to date serdect =0.3.0-pre.0
0.2.0
up to date subtle ^2
2.5.0
up to date zeroize ^1
1.7.0
up to date
Dev dependencies (2 total, all up-to-date)
Crate serdect
Dependencies (3 total, all up-to-date)
Crate Required Latest Status base16ct ^0.2
0.2.0
up to date serde ^1.0.184
1.0.200
up to date zeroize ^1
1.7.0
up to date
Dev dependencies (9 total, all up-to-date)
Crate spki
Dependencies (4 total, all up-to-date)
Crate Required Latest Status der =0.8.0-pre.0
0.7.9
up to date arbitrary ^1.2
1.3.2
up to date base64ct ^1
1.6.0
up to date sha2 =0.11.0-pre.3
0.10.8
up to date
Dev dependencies (2 total, all up-to-date)
Crate tai64
Dependencies (2 total, all up-to-date)
Crate Required Latest Status serde ^1
1.0.200
up to date zeroize ^1.6
1.7.0
up to date
Crate tls_codec
Dependencies (3 total, all up-to-date)
Crate Required Latest Status zeroize ^1.7
1.7.0
up to date arbitrary ^1.3
1.3.2
up to date serde ^1.0.184
1.0.200
up to date
Dev dependencies (6 total, 4 outdated)
Crate tls_codec_derive
Dependencies (3 total, all up-to-date)
Crate Required Latest Status syn ^2
2.0.60
up to date quote ^1.0
1.0.36
up to date proc-macro2 ^1.0
1.0.81
up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status trybuild ^1
1.0.91
up to date
Crate x509-tsp
Dependencies (4 total, 3 outdated)
Crate Required Latest Status der =0.8.0-pre.0
0.7.9
up to date cms =0.3.0-pre
0.2.3
out of date cmpv2 =0.3.0-pre
0.2.0
out of date x509-cert =0.3.0-pre
0.2.5
out of date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status hex-literal ^0.4.1
0.4.1
up to date
Crate x509-cert
Dependencies (8 total, all up-to-date)
Dev dependencies (9 total, 1 insecure)
Crate Required Latest Status hex-literal ^0.4
0.4.1
up to date rand ^0.8.5
0.8.5
up to date rsa ⚠️ =0.10.0-pre.1
0.9.6
insecure ecdsa =0.17.0-pre.5
0.16.9
up to date p256 =0.14.0-pre.0
0.13.2
up to date rstest ^0.19
0.19.0
up to date sha2 =0.11.0-pre.3
0.10.8
up to date tempfile ^3.5.0
3.10.1
up to date tokio ^1.37.0
1.37.0
up to date
Crate x509-cert-test-support
Dependencies (3 total, all up-to-date)
Crate x509-ocsp
Dependencies (7 total, 1 outdated)
Crate Required Latest Status const-oid =0.10.0-pre.2
0.9.6
up to date der =0.8.0-pre.0
0.7.9
up to date spki =0.8.0-pre.0
0.7.3
up to date x509-cert =0.3.0-pre
0.2.5
out of date digest =0.11.0-pre.8
0.10.7
up to date rand_core ^0.6.4
0.6.4
up to date signature =2.3.0-pre.3
2.2.0
up to date
Dev dependencies (6 total, 1 insecure)
Crate Required Latest Status hex-literal ^0.4.1
0.4.1
up to date lazy_static ^1.4.0
1.4.0
up to date rand ^0.8.5
0.8.5
up to date rsa ⚠️ =0.10.0-pre.1
0.9.6
insecure sha1 =0.11.0-pre.3
0.10.6
up to date sha2 =0.11.0-pre.3
0.10.8
up to date
Security Vulnerabilities rsa
: Marvin Attack: potential key recovery through timing sidechannelsRUSTSEC-2023-0071
Impact
Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.
Patches
No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
Workarounds
The only currently available workaround is to avoid using the rsa
crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.
References
This vulnerability was discovered as part of the "Marvin Attack ", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.