Skip to content

Commit a2a9a4b

Browse files
committed
chore: ignore rsa Marvin timing advisory (RUSTSEC-2023-0071)
The `rsa` crate, pulled transitively (e.g. via `pgp`/rPGP for OpenPGP signature verification), carries RUSTSEC-2023-0071, the Marvin Attack timing sidechannel. It affects RSA private-key operations (signing/decryption) observable over a network, has no fixed release available upstream, and consumers that only verify signatures perform public-key operations that are unaffected. Ignore it so cargo-deny does not fail builds that only depend on rsa for verification.
1 parent cba83d3 commit a2a9a4b

1 file changed

Lines changed: 1 addition & 0 deletions

File tree

deny.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ yanked = "warn"
2222
# A list of advisory IDs to ignore. Note that ignored advisories will still
2323
# output a note when they are encountered.
2424
ignore = [
25+
"RUSTSEC-2023-0071", # rsa Marvin timing sidechannel; affects RSA private-key ops only, no fixed release
2526
"RUSTSEC-2025-0052", # async-std discontinued
2627
"RUSTSEC-2025-0068", # serde_yml unsound and unmaintained
2728
"RUSTSEC-2025-0141", # bincode unmaintained

0 commit comments

Comments
 (0)