This project contains known security vulnerabilities . Find detailed information at the bottom .
Crate kitsune-activitypub
Dependencies (17 total, all up-to-date)
Dev dependencies (5 total, all up-to-date)
Crate kitsune-cache
Dependencies (7 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.37.0
1.37.0
up to date
Crate kitsune-captcha
Dependencies (7 total, all up-to-date)
Crate kitsune-config
Dependencies (7 total, all up-to-date)
Crate Required Latest Status eyre ^0.6.12
0.6.12
up to date human-size ^0.4.3
0.4.3
up to date isolang ^2.4.0
2.4.0
up to date serde ^1.0.200
1.0.200
up to date smol_str ^0.2.1
0.2.1
up to date tokio ^1.37.0
1.37.0
up to date toml ^0.8.12
0.8.12
up to date
Crate kitsune-core
Dependencies (4 total, all up-to-date)
Build dependencies (1 total, all up-to-date)
Crate Required Latest Status vergen ^8.3.1
8.3.1
up to date
Crate kitsune-db
Dependencies (18 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.37.0
1.37.0
up to date
Crate kitsune-email
Dependencies (7 total, all up-to-date)
Crate kitsune-embed
Dependencies (8 total, all up-to-date)
Crate kitsune-error
Dependencies (7 total, all up-to-date)
Crate kitsune-federation
Dependencies (1 total, all up-to-date)
Crate kitsune-federation-filter
Dependencies (2 total, all up-to-date)
Crate Required Latest Status globset ^0.4.14
0.4.14
up to date url ^2.5.0
2.5.0
up to date
Crate kitsune-http-client
Dependencies (14 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.37.0
1.37.0
up to date
Crate kitsune-jobs
Dependencies (7 total, all up-to-date)
Crate kitsune-language
Dependencies (6 total, all up-to-date)
Crate kitsune-mastodon
Dependencies (10 total, all up-to-date)
Crate kitsune-observability
Dependencies (15 total, all up-to-date)
Crate kitsune-oidc
Dependencies (11 total, all up-to-date)
Crate kitsune-s3
Dependencies (7 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.37.0
1.37.0
up to date
Crate kitsune-scss-compiler
Dependencies (4 total, all up-to-date)
Crate Required Latest Status anyhow ^1.0.82
1.0.82
up to date glob ^0.3.1
0.3.1
up to date rsass ^0.28.8
0.28.8
up to date tracing ^0.1.40
0.1.40
up to date
Crate kitsune-search
Dependencies (11 total, all up-to-date)
Crate kitsune-service
Dependencies (27 total, 1 insecure)
Dev dependencies (6 total, all up-to-date)
Crate kitsune-storage
Dependencies (6 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status tempfile ^3.10.1
3.10.1
up to date tokio ^1.37.0
1.37.0
up to date
Crate kitsune-test
Dependencies (15 total, all up-to-date)
Crate kitsune-type
Dependencies (6 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate kitsune-url
Dependencies (2 total, all up-to-date)
Crate kitsune-util
Dependencies (6 total, all up-to-date)
Crate kitsune-wasm-mrf
Dependencies (16 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate example-mrf
Dependencies (2 total, all up-to-date)
Crate Required Latest Status rand ^0.8.5
0.8.5
up to date wit-bindgen ^0.24.0
0.24.0
up to date
Crate kitsune-webfinger
Dependencies (7 total, all up-to-date)
Dev dependencies (6 total, all up-to-date)
Crate kitsune
Dependencies (47 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Build dependencies (2 total, all up-to-date)
Crate Required Latest Status camino ^1.1.6
1.1.6
up to date fs_extra ^1.3.0
1.3.0
up to date
Crate kitsune-cli
Dependencies (9 total, all up-to-date)
Build dependencies (1 total, all up-to-date)
Crate Required Latest Status vergen ^8.3.1
8.3.1
up to date
Crate kitsune-job-runner
Dependencies (7 total, all up-to-date)
Crate athena
Dependencies (17 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate blowocking
Dependencies (5 total, all up-to-date)
Crate Required Latest Status once_cell ^1.19.0
1.19.0
up to date rayon ^1.10.0
1.10.0
up to date thiserror ^1.0.59
1.0.59
up to date tokio ^1.37.0
1.37.0
up to date tracing ^0.1.40
0.1.40
up to date
Crate cursiv
Dependencies (11 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status futures-test ^0.3.30
0.3.30
up to date tower ^0.4.13
0.4.13
up to date
Crate geomjeungja
Dependencies (8 total, all up-to-date)
Dev dependencies (4 total, all up-to-date)
Crate http-compat
Dependencies (1 total, all up-to-date)
Crate Required Latest Status http ^1.1.0
1.1.0
up to date
Crate http-signatures
Dependencies (14 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status criterion ^0.5.1
0.5.1
up to date tokio ^1.37.0
1.37.0
up to date
Crate just-retry
Dependencies (4 total, all up-to-date)
Crate masto-id-convert
Dependencies (3 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate Required Latest Status criterion ^0.5.1
0.5.1
up to date time ^0.3.36
0.3.36
up to date uuid ^1.8.0
1.8.0
up to date
Crate mrf-manifest
Dependencies (9 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate Required Latest Status serde_json ^1.0.116
1.0.116
up to date insta ^1.38.0
1.38.0
up to date wat ^1.206.0
1.206.0
up to date
Crate mrf-tool
Dependencies (4 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status serde_json ^1.0.116
1.0.116
up to date wat ^1.206.0
1.206.0
up to date
Crate multiplex-pool
No external dependencies! 🙌
Crate post-process
Dependencies (1 total, all up-to-date)
Crate Required Latest Status logos ^0.14.0
0.14.0
up to date
Dev dependencies (4 total, all up-to-date)
Crate speedy-uuid
Dependencies (7 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status serde_test ^1.0.176
1.0.176
up to date
Crate tick-tock-mock
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status criterion ^0.5.1
0.5.1
up to date
Crate tower-http-digest
Dependencies (12 total, all up-to-date)
Dev dependencies (4 total, all up-to-date)
Crate tower-stop-using-brave
Dependencies (6 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status futures ^0.3.30
0.3.30
up to date tower ^0.4.13
0.4.13
up to date
Crate tower-x-clacks-overhead
Dependencies (5 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status futures-test ^0.3.30
0.3.30
up to date tower ^0.4.13
0.4.13
up to date
Crate trials
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status futures-test ^0.3.30
0.3.30
up to date
Crate trials-macros
Dependencies (3 total, all up-to-date)
Crate Required Latest Status proc-macro2 ^1.0.81
1.0.81
up to date quote ^1.0.36
1.0.36
up to date syn ^2.0.60
2.0.60
up to date
Crate xtask
Dependencies (6 total, all up-to-date)
Security Vulnerabilities rsa
: Marvin Attack: potential key recovery through timing sidechannelsRUSTSEC-2023-0071
Impact
Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.
Patches
No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
Workarounds
The only currently available workaround is to avoid using the rsa
crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.
References
This vulnerability was discovered as part of the "Marvin Attack ", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.