Blog @ Dockers DEV Site

Updates · Faq · Home · Blog-Index 

11/01/2023 - Rust vulnerability - Cargo does not check SSH host keys

Pietro Albini has found a problem in Rust that should be patched urgently.[1] Cargo fetches foreign code from the sources without checking if the SSL key is correct.

This of course opens the door for men-in-the-middle attacks. The attacker can, as an example, exchange the code and tamper libs used for encryption, or even build in malware functionality. Anyway - You should update your Rust to the current version 1.66.1 and rebuild your Projects.

You should also run cargo update in your projects, because with the update alone it is not done. Tampered code could already exist in your cache.
The command to update (if you used rustup for the installation):

        curl --proto '=https' --tlsv1.2 -sSf | sh

Little advise:
If you reed it and have thougs like: Nevermind, I do some little things nobody is interested in.
Your might right, but what makes you believe that the Repo wasn't tamperd because another "bigger player" was the Target?

[1] CVE-2022-46176: Cargo does not check SSH host keys


Last change 11/01/2023 by Docker Rocker.
This page uses no cookies, no tracking - just HTML.
Author: "Docker Rocker" ~ 2023 · [Public Git]