Skip to content

Security: patch quinn-proto DoS (RUSTSEC-2026-0037), acknowledge rsa Marvin Attack (RUSTSEC-2023-0071)#105

Merged
bashandbone merged 2 commits intomainfrom
copilot/fix-security-vulnerabilities
Mar 10, 2026
Merged

Security: patch quinn-proto DoS (RUSTSEC-2026-0037), acknowledge rsa Marvin Attack (RUSTSEC-2023-0071)#105
bashandbone merged 2 commits intomainfrom
copilot/fix-security-vulnerabilities

Conversation

Copy link
Contributor

Copilot AI commented Mar 10, 2026
edited
Loading

Two vulnerabilities surfaced in the security audit. One has an available patch; the other has no upstream fix yet.

RUSTSEC-2026-0037 — quinn-proto DoS (patched)

Invalid QUIC transport parameters could panic the endpoint. Fixed by bumping quinn-proto 0.11.130.11.14 in Cargo.lock.

Dep chain: thread-flowreqwestquinnquinn-proto

RUSTSEC-2023-0071 — rsa Marvin Attack timing sidechannel (no upstream patch)

Non-constant-time RSA implementation leaks private key bits via network-observable timing. No patched version exists. Added to deny.toml advisory ignore list with justification:

  • rsa enters only via recoco-core → sqlx → sqlx-mysql; Thread uses PostgreSQL exclusively
  • No RSA private key operations occur in any network-observable path
  • Matches advisory's own stated safe-use condition ("local use on a non-compromised computer is fine")
  • Entry references upstream tracking issue for when a patch ships
# deny.toml
ignore = [
  { id = "RUSTSEC-2023-0071", reason = "No patch available. rsa enters only via sqlx-mysql (unused); no network-observable RSA ops in Thread. Track https://github.com/RustCrypto/RSA/issues/19." },
]
Original prompt

This section details on the original issue you should resolve

<issue_title>Security: 2 vulnerabilities found</issue_title>
<issue_description>## Security Audit Report

Date: 2026-03-10T04:12:53.171Z
Vulnerabilities: 2

RUSTSEC-2026-0037: Denial of service in Quinn endpoints

Package: quinn-proto@0.11.13
Severity: Unknown
URL: quinn-rs/quinn#2559

Receiving QUIC transport parameters containing invalid values could lead to a panic.

Unfortunately the maintainers did not properly assess usage of unwrap() calls in the
transport parameters parsing code, and we did not have sufficient fuzzing coverage to find this
issue. We have since added a fuzzing target to cover this code path.

Patched Versions: >=0.11.14

RUSTSEC-2023-0071: Marvin Attack: potential key recovery through timing sidechannels

Package: rsa@0.9.10
Severity: Unknown
URL: RustCrypto/RSA#19 (comment)

Impact

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches

No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds

The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

References

This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.

Patched Versions: None

This issue was automatically created by the security audit workflow.</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@bashandbone
Security: fix RUSTSEC-2026-0037 (quinn-proto), document RUSTSEC-2023-…
5b983d6 
…0071 (rsa)

Co-authored-by: bashandbone <89049923+bashandbone@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix security vulnerabilities in dependencies Security: patch quinn-proto DoS (RUSTSEC-2026-0037), acknowledge rsa Marvin Attack (RUSTSEC-2023-0071) Mar 10, 2026
@bashandbone bashandbone marked this pull request as ready for review March 10, 2026 13:54
Copilot AI review requested due to automatic review settings March 10, 2026 13:54
Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates dependency security posture by (1) patching a QUIC transport-parameter panic in quinn-proto via lockfile bump, and (2) documenting/acknowledging an unpatched rsa timing advisory with a scoped justification in cargo-deny configuration.

Changes:

  • Bump quinn-proto from 0.11.13 to 0.11.14 in Cargo.lock to pick up the DoS/panic fix (RUSTSEC-2026-0037).
  • Add RUSTSEC-2023-0071 to deny.toml advisory ignore list with rationale and upstream tracking link.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
deny.toml Adds an advisory ignore entry for RUSTSEC-2023-0071 with justification and tracking link.
Cargo.lock Updates quinn-proto to 0.11.14 (and checksum) to incorporate the upstream fix.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@bashandbone bashandbone merged commit 260f8d1 into main Mar 10, 2026
20 of 21 checks passed
@bashandbone bashandbone deleted the copilot/fix-security-vulnerabilities branch March 10, 2026 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@bashandbone bashandbone

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: 2 vulnerabilities found

3 participants

@bashandbone