-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dealing with RUSTSEC-2023-0071 #257
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This
decrypt
public API is a straight call intorsa
crate with PKCS1v15 padding:rpgp/src/crypto/rsa.rs
Lines 25 to 33 in 63f55a7
This is claimed to be vulnerable to timing attack at RustCrypto/RSA#19
There is a security advisory at https://rustsec.org/advisories/RUSTSEC-2023-0071 without a fix currently.
rPGP should update to fixed
rsa
dependency or work around this somehow, but as far as I see there is no workaround and we need anrsa
crate fix.The text was updated successfully, but these errors were encountered: