This project contains known security vulnerabilities . Find detailed information at the bottom .
Crate kitsune-activitypub Dependencies (17 total, all up-to-date)
Dev dependencies (5 total, all up-to-date)
Crate kitsune-cache Dependencies (7 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.37.01.37.0up to date
Crate kitsune-captcha Dependencies (7 total, all up-to-date)
Crate kitsune-config Dependencies (7 total, all up-to-date)
Crate Required Latest Status eyre ^0.6.120.6.12up to date human-size ^0.4.30.4.3up to date isolang ^2.4.02.4.0up to date serde ^1.0.2001.0.200up to date smol_str ^0.2.10.2.1up to date tokio ^1.37.01.37.0up to date toml ^0.8.120.8.12up to date
Crate kitsune-core Dependencies (4 total, all up-to-date)
Build dependencies (1 total, all up-to-date)
Crate Required Latest Status vergen ^8.3.18.3.1up to date
Crate kitsune-db Dependencies (18 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.37.01.37.0up to date
Crate kitsune-email Dependencies (7 total, all up-to-date)
Crate kitsune-embed Dependencies (8 total, all up-to-date)
Crate kitsune-error Dependencies (7 total, all up-to-date)
Crate kitsune-federation Dependencies (1 total, all up-to-date)
Crate kitsune-federation-filter Dependencies (2 total, all up-to-date)
Crate Required Latest Status globset ^0.4.140.4.14up to date url ^2.5.02.5.0up to date
Crate kitsune-http-client Dependencies (14 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.37.01.37.0up to date
Crate kitsune-jobs Dependencies (7 total, all up-to-date)
Crate kitsune-language Dependencies (6 total, all up-to-date)
Crate kitsune-mastodon Dependencies (10 total, all up-to-date)
Crate kitsune-observability Dependencies (15 total, all up-to-date)
Crate kitsune-oidc Dependencies (11 total, all up-to-date)
Crate kitsune-s3 Dependencies (7 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.37.01.37.0up to date
Crate kitsune-scss-compiler Dependencies (4 total, all up-to-date)
Crate Required Latest Status anyhow ^1.0.821.0.82up to date glob ^0.3.10.3.1up to date rsass ^0.28.80.28.8up to date tracing ^0.1.400.1.40up to date
Crate kitsune-search Dependencies (11 total, all up-to-date)
Crate kitsune-service Dependencies (27 total, 1 insecure)
Dev dependencies (6 total, all up-to-date)
Crate kitsune-storage Dependencies (6 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status tempfile ^3.10.13.10.1up to date tokio ^1.37.01.37.0up to date
Crate kitsune-test Dependencies (15 total, all up-to-date)
Crate kitsune-type Dependencies (6 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate kitsune-url Dependencies (2 total, all up-to-date)
Crate kitsune-util Dependencies (6 total, all up-to-date)
Crate kitsune-wasm-mrf Dependencies (16 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate example-mrf Dependencies (2 total, all up-to-date)
Crate Required Latest Status rand ^0.8.50.8.5up to date wit-bindgen ^0.24.00.24.0up to date
Crate kitsune-webfinger Dependencies (7 total, all up-to-date)
Dev dependencies (6 total, all up-to-date)
Crate kitsune Dependencies (47 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Build dependencies (2 total, all up-to-date)
Crate Required Latest Status camino ^1.1.61.1.6up to date fs_extra ^1.3.01.3.0up to date
Crate kitsune-cli Dependencies (9 total, all up-to-date)
Build dependencies (1 total, all up-to-date)
Crate Required Latest Status vergen ^8.3.18.3.1up to date
Crate kitsune-job-runner Dependencies (7 total, all up-to-date)
Crate athena Dependencies (17 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate blowocking Dependencies (5 total, all up-to-date)
Crate Required Latest Status once_cell ^1.19.01.19.0up to date rayon ^1.10.01.10.0up to date thiserror ^1.0.591.0.59up to date tokio ^1.37.01.37.0up to date tracing ^0.1.400.1.40up to date
Crate cursiv Dependencies (11 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status futures-test ^0.3.300.3.30up to date tower ^0.4.130.4.13up to date
Crate geomjeungja Dependencies (8 total, all up-to-date)
Dev dependencies (4 total, all up-to-date)
Crate http-compat Dependencies (1 total, all up-to-date)
Crate Required Latest Status http ^1.1.01.1.0up to date
Crate http-signatures Dependencies (14 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status criterion ^0.5.10.5.1up to date tokio ^1.37.01.37.0up to date
Crate just-retry Dependencies (4 total, all up-to-date)
Crate masto-id-convert Dependencies (3 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate Required Latest Status criterion ^0.5.10.5.1up to date time ^0.3.360.3.36up to date uuid ^1.8.01.8.0up to date
Crate mrf-manifest Dependencies (9 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate Required Latest Status serde_json ^1.0.1161.0.116up to date insta ^1.38.01.38.0up to date wat ^1.206.01.206.0up to date
Crate mrf-tool Dependencies (4 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status serde_json ^1.0.1161.0.116up to date wat ^1.206.01.206.0up to date
Crate multiplex-pool No external dependencies! 🙌
Crate post-process Dependencies (1 total, all up-to-date)
Crate Required Latest Status logos ^0.14.00.14.0up to date
Dev dependencies (4 total, all up-to-date)
Crate speedy-uuid Dependencies (7 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status serde_test ^1.0.1761.0.176up to date
Crate tick-tock-mock Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status criterion ^0.5.10.5.1up to date
Crate tower-http-digest Dependencies (12 total, all up-to-date)
Dev dependencies (4 total, all up-to-date)
Crate tower-stop-using-brave Dependencies (6 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status futures ^0.3.300.3.30up to date tower ^0.4.130.4.13up to date
Crate tower-x-clacks-overhead Dependencies (5 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status futures-test ^0.3.300.3.30up to date tower ^0.4.130.4.13up to date
Crate trials Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status futures-test ^0.3.300.3.30up to date
Crate trials-macros Dependencies (3 total, all up-to-date)
Crate Required Latest Status proc-macro2 ^1.0.811.0.81up to date quote ^1.0.361.0.36up to date syn ^2.0.602.0.60up to date
Crate xtask Dependencies (6 total, all up-to-date)
Security Vulnerabilities rsa: Marvin Attack: potential key recovery through timing sidechannelsRUSTSEC-2023-0071
Impact
Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.
Patches
No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
Workarounds
The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.
References
This vulnerability was discovered as part of the "Marvin Attack ", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.
