This project contains known security vulnerabilities . Find detailed information at the bottom .
Crate base16ct No external dependencies! 🙌
Crate base32ct Dev dependencies (2 total, 1 outdated)
Crate Required Latest Status base32 ^0.40.4.0up to date proptest =1.2.01.4.0out of date
Crate base64ct Dev dependencies (2 total, 1 outdated)
Crate Required Latest Status base64 ^0.220.22.1up to date proptest =1.2.01.4.0out of date
Crate cmpv2 Dependencies (4 total, 2 outdated)
Crate Required Latest Status crmf =0.3.0-pre0.2.0out of date der =0.8.0-pre.00.7.9up to date spki =0.8.0-pre.00.7.3up to date x509-cert =0.3.0-pre0.2.5out of date
Dev dependencies (2 total, all up-to-date)
Crate cms Dependencies (13 total, 2 outdated, 1 insecure)
Crate Required Latest Status der =0.8.0-pre.00.7.9up to date spki =0.8.0-pre.00.7.3up to date x509-cert =0.3.0-pre0.2.5out of date const-oid =0.10.0-pre.20.9.6up to date aes =0.9.0-pre0.8.4up to date cbc =0.2.0-pre0.1.2out of date cipher =0.5.0-pre.40.4.4up to date rsa ⚠️ =0.10.0-pre.10.9.6insecure sha1 =0.11.0-pre.30.10.6up to date sha2 =0.11.0-pre.30.10.8up to date sha3 =0.11.0-pre.30.10.8up to date signature =2.3.0-pre.32.2.0up to date zeroize ^1.6.01.7.0up to date
Dev dependencies (8 total, 1 insecure)
Crate Required Latest Status getrandom ^0.20.2.14up to date hex-literal ^0.40.4.1up to date pem-rfc7468 =1.0.0-pre.00.7.0up to date pkcs5 =0.8.0-pre.00.7.1up to date rand ^0.8.50.8.5up to date rsa ⚠️ =0.10.0-pre.10.9.6insecure ecdsa =0.17.0-pre.50.16.9up to date p256 =0.14.0-pre.00.13.2up to date
Crate const-oid Dependencies (1 total, all up-to-date)
Crate Required Latest Status arbitrary ^1.21.3.2up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status hex-literal ^0.40.4.1up to date
Crate crmf Dependencies (4 total, 2 outdated)
Crate Required Latest Status cms =0.3.0-pre0.2.3out of date der =0.8.0-pre.00.7.9up to date spki =0.8.0-pre.00.7.3up to date x509-cert =0.3.0-pre0.2.5out of date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status const-oid =0.10.0-pre.20.9.6up to date
Crate der Dependencies (8 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate der_derive Dependencies (3 total, all up-to-date)
Crate Required Latest Status proc-macro2 ^11.0.81up to date quote ^11.0.36up to date syn ^22.0.60up to date
Crate gss-api Dependencies (3 total, 1 outdated)
Crate Required Latest Status der =0.8.0-pre.00.7.9up to date spki =0.8.0-pre.00.7.3up to date x509-cert =0.3.0-pre0.2.5out of date
Dev dependencies (3 total, 1 outdated)
Crate Required Latest Status der =0.8.0-pre.00.7.9up to date hex-literal ^0.40.4.1up to date x509-cert =0.3.0-pre0.2.5out of date
Crate pem-rfc7468 Dependencies (1 total, all up-to-date)
Crate Required Latest Status base64ct ^1.41.6.0up to date
Crate pkcs1 Dependencies (3 total, all up-to-date)
Crate Required Latest Status der =0.8.0-pre.00.7.9up to date spki =0.8.0-pre.00.7.3up to date pkcs8 =0.11.0-pre.00.10.2up to date
Dev dependencies (3 total, all up-to-date)
Crate pkcs5 Dependencies (10 total, 1 outdated)
Crate Required Latest Status der =0.8.0-pre.00.7.9up to date spki =0.8.0-pre.00.7.3up to date cbc =0.2.0-pre0.1.2out of date aes =0.9.0-pre0.8.4up to date des =0.9.0-pre.00.8.1up to date pbkdf2 =0.13.0-pre.00.12.2up to date rand_core ^0.6.40.6.4up to date scrypt =0.12.0-pre.00.11.0up to date sha1 =0.11.0-pre.30.10.6up to date sha2 =0.11.0-pre.30.10.8up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status hex-literal ^0.40.4.1up to date
Crate pkcs8 Dependencies (5 total, all up-to-date)
Crate Required Latest Status der =0.8.0-pre.00.7.9up to date spki =0.8.0-pre.00.7.3up to date rand_core ^0.60.6.4up to date pkcs5 =0.8.0-pre.00.7.1up to date subtle ^22.5.0up to date
Dev dependencies (2 total, all up-to-date)
Crate pkcs12 Dependencies (7 total, 2 outdated)
Crate Required Latest Status der =0.8.0-pre.00.7.9up to date spki =0.8.0-pre.00.7.3up to date x509-cert =0.3.0-pre0.2.5out of date const-oid =0.10.0-pre.20.9.6up to date cms =0.3.0-pre0.2.3out of date digest ^0.11.0-pre.80.10.7up to date zeroize ^1.6.01.7.0up to date
Dev dependencies (5 total, all up-to-date)
Crate Required Latest Status hex-literal ^0.40.4.1up to date pkcs8 =0.11.0-pre.00.10.2up to date pkcs5 =0.8.0-pre.00.7.1up to date sha2 =0.11.0-pre.30.10.8up to date whirlpool =0.11.0-pre.20.10.4up to date
Crate sec1 Dependencies (7 total, all up-to-date)
Crate Required Latest Status base16ct ^0.20.2.0up to date der =0.8.0-pre.00.7.9up to date hybrid-array ^0.2.0-rc.80.1.0up to date pkcs8 =0.11.0-pre.00.10.2up to date serdect =0.3.0-pre.00.2.0up to date subtle ^22.5.0up to date zeroize ^11.7.0up to date
Dev dependencies (2 total, all up-to-date)
Crate serdect Dependencies (3 total, all up-to-date)
Crate Required Latest Status base16ct ^0.20.2.0up to date serde ^1.0.1841.0.200up to date zeroize ^11.7.0up to date
Dev dependencies (9 total, all up-to-date)
Crate spki Dependencies (4 total, all up-to-date)
Crate Required Latest Status der =0.8.0-pre.00.7.9up to date arbitrary ^1.21.3.2up to date base64ct ^11.6.0up to date sha2 =0.11.0-pre.30.10.8up to date
Dev dependencies (2 total, all up-to-date)
Crate tai64 Dependencies (2 total, all up-to-date)
Crate Required Latest Status serde ^11.0.200up to date zeroize ^1.61.7.0up to date
Crate tls_codec Dependencies (3 total, all up-to-date)
Crate Required Latest Status zeroize ^1.71.7.0up to date arbitrary ^1.31.3.2up to date serde ^1.0.1841.0.200up to date
Dev dependencies (6 total, 4 outdated)
Crate tls_codec_derive Dependencies (3 total, all up-to-date)
Crate Required Latest Status syn ^22.0.60up to date quote ^1.01.0.36up to date proc-macro2 ^1.01.0.81up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status trybuild ^11.0.91up to date
Crate x509-tsp Dependencies (4 total, 3 outdated)
Crate Required Latest Status der =0.8.0-pre.00.7.9up to date cms =0.3.0-pre0.2.3out of date cmpv2 =0.3.0-pre0.2.0out of date x509-cert =0.3.0-pre0.2.5out of date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status hex-literal ^0.4.10.4.1up to date
Crate x509-cert Dependencies (8 total, all up-to-date)
Dev dependencies (9 total, 1 insecure)
Crate Required Latest Status hex-literal ^0.40.4.1up to date rand ^0.8.50.8.5up to date rsa ⚠️ =0.10.0-pre.10.9.6insecure ecdsa =0.17.0-pre.50.16.9up to date p256 =0.14.0-pre.00.13.2up to date rstest ^0.190.19.0up to date sha2 =0.11.0-pre.30.10.8up to date tempfile ^3.5.03.10.1up to date tokio ^1.37.01.37.0up to date
Crate x509-cert-test-support Dependencies (3 total, all up-to-date)
Crate x509-ocsp Dependencies (7 total, 1 outdated)
Crate Required Latest Status const-oid =0.10.0-pre.20.9.6up to date der =0.8.0-pre.00.7.9up to date spki =0.8.0-pre.00.7.3up to date x509-cert =0.3.0-pre0.2.5out of date digest =0.11.0-pre.80.10.7up to date rand_core ^0.6.40.6.4up to date signature =2.3.0-pre.32.2.0up to date
Dev dependencies (6 total, 1 insecure)
Crate Required Latest Status hex-literal ^0.4.10.4.1up to date lazy_static ^1.4.01.4.0up to date rand ^0.8.50.8.5up to date rsa ⚠️ =0.10.0-pre.10.9.6insecure sha1 =0.11.0-pre.30.10.6up to date sha2 =0.11.0-pre.30.10.8up to date
Security Vulnerabilities rsa: Marvin Attack: potential key recovery through timing sidechannelsRUSTSEC-2023-0071
Impact
Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.
Patches
No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
Workarounds
The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.
References
This vulnerability was discovered as part of the "Marvin Attack ", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.
