Verify the state of rsa dependency - security alert #735
Description
We can ignore it for now, but we'll need to check for a newer version again in a while.
error[vulnerability]: Marvin Attack: potential key recovery through timing sidechannels
┌─ /home/maciej/dev/nethermind/taiko/Catalyst/Cargo.lock:646:1
│
646 │ rsa 0.9.8 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2023-0071
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0071
├ ### Impact
Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.
### Patches
No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
### Workarounds
The only currently available workaround is to avoid using the `rsa` crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.
### References
This vulnerability was discovered as part of the "[Marvin Attack]", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.
[Marvin Attack]: https://people.redhat.com/~hkario/marvin/
├ Announcement: https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643
├ Solution: No safe upgrade is available!
├ rsa v0.9.8
└── sqlx-mysql v0.8.6
├── sqlx v0.8.6
│ └── urc v1.23.8
│ └── permissionless v1.23.8
└── sqlx-macros-core v0.8.6
└── sqlx-macros v0.8.6
└── sqlx v0.8.6 (*)
advisories FAILED, bans ok, licenses ok, sources ok
❌ Critical: Vulnerable dependencies detected (run 'cargo deny check')
error: nie można wypchnąć niektórych referencji do „github.com:NethermindEth/Catalyst.git”