Bug 31393

Summary: cargo new security issue CVE-2022-46176
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: RĂ©mi Verschelde <rverschelde>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO
Source RPM: rust-1.66.0-1.mga9.src.rpm CVE: CVE-2022-46176
Status comment: Fixed in version 1.66.1

Description Nicolas Salguero 2023-01-11 10:19:35 CET 
Hi,

Cargo does not perform SSH host key verification when cloning indexes and dependencies via SSH.  An attacker could exploit this to perform man-in-the-middle (MITM) attacks.  All Rust versions containing Cargo before 1.66.1 are vulnerable:
https://www.openwall.com/lists/oss-security/2023/01/10/3

Best regards,

Nico.
Nicolas Salguero 2023-01-11 10:22:33 CET

Whiteboard: (none) => MGA8TOO

Nicolas Salguero 2023-01-11 10:23:41 CET

CVE: (none) => CVE-2022-46176
Status comment: (none) => Fixed in version 1.66.1
Source RPM: (none) => rust-1.66.0-1.mga9.src.rpm

David Walser 2023-01-11 16:10:43 CET

Assignee: bugsquad => rverschelde

Comment 1 David Walser 2023-01-18 01:03:06 CET 
Already had a security bug for rust.

*** This bug has been marked as a duplicate of bug 30907 ***

Resolution: (none) => DUPLICATE
Status: NEW => RESOLVED