RUSTSEC-2023-0071 still triggered: russh 0.57.0 depends on rsa 0.10.0-rc.12 #637
Description
Summary
russh 0.57.0 still triggers RUSTSEC-2023-0071 (Marvin Attack: potential key recovery through timing sidechannels) because it depends on rsa 0.10.0-rc.12, which is a pre-release that still carries the advisory.
The previous issue #337 was closed as completed, and #597 upgraded from rsa 0.9 to 0.10, but the advisory is still active for rsa 0.10.0-rc.12 since no stable patched release exists yet.
Reproduction
cargo auditerror: 1 vulnerability found!
Version: 0.10.0-rc.12
Title: Marvin Attack: potential key recovery through timing sidechannels
Date: 2023-11-22
ID: RUSTSEC-2023-0071
URL: https://rustsec.org/advisories/RUSTSEC-2023-0071
Severity: 5.9 (medium)
Solution: No fixed upgrade is available!
Dependency tree:
rsa 0.10.0-rc.12
├── russh 0.57.0
└── internal-russh-forked-ssh-key 0.6.16+upstream-0.6.7
└── russh 0.57.0
Impact
Any project depending on russh 0.57.0 will fail cargo audit due to this transitive dependency, with no way to resolve it by upgrading.
Expected behavior
Once the rsa crate publishes a stable release that addresses RUSTSEC-2023-0071, russh should update its dependency to the fixed version.
Environment
- russh: 0.57.0
- rsa: 0.10.0-rc.12
- cargo-audit: latest