Skip to content

Update Rust crate rsa to 0.9.10 [SECURITY] (dev)#433

Open
renovate[bot] wants to merge 1 commit into
devfrom
renovate/dev-crate-rsa-vulnerability
Open

Update Rust crate rsa to 0.9.10 [SECURITY] (dev)#433
renovate[bot] wants to merge 1 commit into
devfrom
renovate/dev-crate-rsa-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 8, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
rsa workspace.dependencies patch 0.90.9.10

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Marvin Attack: potential key recovery through timing sidechannels

CVE-2023-49092 / GHSA-4grx-2x9w-596c / GHSA-c38w-74pg-36hr / RUSTSEC-2023-0071

More information

Details

The Marvin Attack is a timing sidechannel vulnerability which allows performing RSA decryption and signing operations as an attacker with the ability to observe only the time of the decryption operation performed withthe private key.

A recent survey of RSA implementations found that the Rust rsa crate is one of many implementations vulnerable to this attack.

No fixed version is available at this time.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Marvin Attack: potential key recovery through timing sidechannels

CVE-2023-49092 / GHSA-4grx-2x9w-596c / GHSA-c38w-74pg-36hr / RUSTSEC-2023-0071

More information

Details

Impact

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches

No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds

The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

References

This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


rsa crate has potential panic on a prime being equal to 1

CVE-2026-21895 / GHSA-9c48-w39g-hm26

More information

Details

When creating a RSA private key from its components, the construction panics, instead of returning an error, when one of the primes is 1.

Discovered by Christian Reitter from Radically Open Security during a security review for Proton AG.

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (in timezone Europe/Warsaw)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jul 8, 2026

Copy link
Copy Markdown
Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock
Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --workspace
error: failed to parse lock file at: /tmp/renovate/repos/github/DefGuard/defguard-renovate/Cargo.lock

Caused by:
  TOML parse error at line 5364, column 20
       |
  5364 | version = "0.23.11""
       |                    ^
  unexpected key or value, expected newline, `#`

@renovate renovate Bot added the security label Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants