This project contains known security vulnerabilities . Find detailed information at the bottom .
Crate kitsune-activitypub
Dependencies (12 total, all up-to-date)
Dev dependencies (4 total, all up-to-date)
Crate kitsune-cache
Dependencies (4 total, all up-to-date)
Crate kitsune-captcha
Dependencies (6 total, all up-to-date)
Crate kitsune-config
Dependencies (6 total, all up-to-date)
Crate Required Latest Status eyre ^0.6.12
0.6.12
up to date human-size ^0.4.3
0.4.3
up to date isolang ^2.4.0
2.4.0
up to date serde ^1.0.210
1.0.213
up to date smol_str ^0.3.1
0.3.1
up to date toml ^0.8.19
0.8.19
up to date
Crate kitsune-core
Dependencies (7 total, all up-to-date)
Crate kitsune-db
Dependencies (12 total, 1 outdated)
Crate kitsune-derive
Dependencies (1 total, all up-to-date)
Crate kitsune-derive-impl
Dependencies (3 total, all up-to-date)
Crate Required Latest Status proc-macro2 ^1.0.88
1.0.89
up to date quote ^1.0.37
1.0.37
up to date syn ^2.0.79
2.0.82
up to date
Crate kitsune-email
Dependencies (4 total, all up-to-date)
Crate kitsune-embed
Dependencies (2 total, all up-to-date)
Crate Required Latest Status http ^1.1.0
1.1.0
up to date smol_str ^0.3.1
0.3.1
up to date
Crate kitsune-error
Dependencies (5 total, all up-to-date)
Crate kitsune-federation
Dependencies (1 total, all up-to-date)
Crate kitsune-federation-filter
Dependencies (2 total, all up-to-date)
Crate Required Latest Status globset ^0.4.15
0.4.15
up to date url ^2.5.2
2.5.2
up to date
Crate kitsune-http-client
Dependencies (11 total, all up-to-date)
Crate kitsune-jobs
Dependencies (5 total, all up-to-date)
Crate kitsune-language
Dependencies (4 total, all up-to-date)
Crate kitsune-mastodon
Dependencies (6 total, all up-to-date)
Crate kitsune-observability
Dependencies (12 total, all up-to-date)
Crate kitsune-oidc
Dependencies (6 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.40.0
1.41.0
up to date
Crate kitsune-s3
Dependencies (7 total, all up-to-date)
Crate kitsune-scss-compiler
Dependencies (4 total, all up-to-date)
Crate Required Latest Status eyre ^0.6.12
0.6.12
up to date glob ^0.3.1
0.3.1
up to date grass_compiler ^0.13.4
0.13.4
up to date tracing ^0.1.40
0.1.40
up to date
Crate kitsune-search
Dependencies (12 total, all up-to-date)
Crate kitsune-service
Dependencies (20 total, 1 insecure)
Dev dependencies (6 total, all up-to-date)
Crate kitsune-storage
Dependencies (5 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tempfile ^3.13.0
3.13.0
up to date
Crate kitsune-test
Dependencies (10 total, all up-to-date)
Crate kitsune-type
Dependencies (4 total, all up-to-date)
Crate Required Latest Status serde ^1.0.210
1.0.213
up to date serde_with ^3.11.0
3.11.0
up to date smol_str ^0.3.1
0.3.1
up to date strum ^0.26.3
0.26.3
up to date
Dev dependencies (3 total, all up-to-date)
Crate kitsune-url
Dependencies (1 total, all up-to-date)
Crate Required Latest Status smol_str ^0.3.1
0.3.1
up to date
Crate kitsune-util
Dependencies (3 total, all up-to-date)
Crate kitsune-wasm-mrf
Dependencies (13 total, 2 outdated)
Dev dependencies (3 total, all up-to-date)
Crate example-mrf
Dependencies (2 total, all up-to-date)
Crate Required Latest Status rand ^0.8.5
0.8.5
up to date wit-bindgen ^0.34.0
0.34.0
up to date
Crate kitsune-webfinger
Dependencies (5 total, all up-to-date)
Dev dependencies (4 total, all up-to-date)
Crate kitsune
Dependencies (34 total, all up-to-date)
Build dependencies (2 total, all up-to-date)
Crate Required Latest Status camino ^1.1.9
1.1.9
up to date fs_extra ^1.3.0
1.3.0
up to date
Crate kitsune-cli
Dependencies (5 total, all up-to-date)
Crate kitsune-job-runner
Dependencies (4 total, all up-to-date)
Crate athena
Dependencies (13 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate blowocking
Dependencies (3 total, all up-to-date)
Crate Required Latest Status rayon ^1.10.0
1.10.0
up to date thiserror ^1.0.64
1.0.65
up to date tracing ^0.1.40
0.1.40
up to date
Crate cursiv
Dependencies (11 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status futures-test ^0.3.31
0.3.31
up to date tower ^0.5.1
0.5.1
up to date
Crate fast-cjson
Dependencies (3 total, all up-to-date)
Dev dependencies (7 total, all up-to-date)
Crate geomjeungja
Dependencies (8 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate http-signatures
Dependencies (13 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status divan ^0.1.14
0.1.14
up to date
Crate http-signatures-cli
Dependencies (2 total, all up-to-date)
Crate Required Latest Status miette ^7.2.0
7.2.0
up to date owo-colors ^4.1.0
4.1.0
up to date
Crate just-retry
Dependencies (2 total, all up-to-date)
Crate masto-id-convert
Dependencies (3 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate Required Latest Status divan ^0.1.14
0.1.14
up to date time ^0.3.36
0.3.36
up to date uuid ^1.11.0
1.11.0
up to date
Crate mrf-manifest
Dependencies (7 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status insta ^1.40.0
1.40.0
up to date wat ^1.219.1
1.219.1
up to date
Crate mrf-tool
Dependencies (3 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status wat ^1.219.1
1.219.1
up to date
Crate post-process
Dependencies (1 total, all up-to-date)
Crate Required Latest Status logos ^0.14.2
0.14.2
up to date
Dev dependencies (4 total, all up-to-date)
Crate schaber
Dependencies (2 total, all up-to-date)
Crate Required Latest Status lol_html ^2.0.0
2.0.0
up to date thiserror ^1.0.64
1.0.65
up to date
Crate speedy-uuid
Dependencies (7 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status serde_test ^1.0.177
1.0.177
up to date
Crate tick-tock-mock
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status divan ^0.1.14
0.1.14
up to date
Crate tower-http-digest
Dependencies (12 total, all up-to-date)
Dev dependencies (4 total, all up-to-date)
Crate tower-stop-using-brave
Dependencies (5 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status futures-test ^0.3.31
0.3.31
up to date tower ^0.5.1
0.5.1
up to date
Crate tower-x-clacks-overhead
Dependencies (4 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status futures-test ^0.3.31
0.3.31
up to date tower ^0.5.1
0.5.1
up to date
Crate trials
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status futures-test ^0.3.31
0.3.31
up to date
Crate xtask
Dependencies (5 total, all up-to-date)
Security Vulnerabilities rsa
: Marvin Attack: potential key recovery through timing sidechannelsRUSTSEC-2023-0071
Impact
Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.
Patches
No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
Workarounds
The only currently available workaround is to avoid using the rsa
crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.
References
This vulnerability was discovered as part of the "Marvin Attack ", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.