Skip to content

Track RUSTSEC-2023-0071 (rsa marvin-attack via yubikey) #18

Open
Open
Track RUSTSEC-2023-0071 (rsa marvin-attack via yubikey)#18
@systemslibrarian

Description

@systemslibrarian
systemslibrarian
opened on Feb 6, 2026

Advisory: RUSTSEC-2023-0071

  • Crate: rsa 0.9.10
  • Severity: 5.9 (medium)
  • Title: Marvin Attack: potential key recovery through timing sidechannels
  • Dependency path: rsa 0.9.10 → yubikey 0.8.0 → crypto_core 0.2.0
  • Mitigation: This repo uses ECDH-only flows; no RSA encrypt/decrypt usage. The rsa crate is pulled transitively by yubikey HSM support.
  • Fix available: No fixed upgrade available upstream.
  • Action: Monitor yubikey/rsa dependency updates; remove --ignore from security-ci.yml when fixed.
  • Review date: 2026-05-01

Related: OpenSSF Scorecard §2.2 / §4.5 vulnerability remediation

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions