On 08/08/2024 08:33, Peter Green wrote: > Currently the new version of rust-pyo3 is blocked from migrating to testing > by rust-debversion, rust-debversion is blocked by rust-sqlx, which is blocked > by rust-sqlx-mysql which is blocked by rust-rsa. > > rust-rsa has a security issue filed about a timing attack, which seems to be > taking a very long time to fix. It seems the issue was initially filed as a > bug in 2019! but did not get reported to rustsec until november 2023, it's > now august 2024 and it's still not fixed. > > In may 2024, to avoid applications getting removed from testing, I patched > rust-debversion to disable support for rust-sqlx. However it was re-enabled > by jelmer in version 0.4.1-1. No comment was made about this in the chagelog > or commit message so I don't know if this change was intentional or > inadvertant. > > I see the following possibilities for moving forward. > > 1. Disable sqlx support > 2. Disable mysql support in sqlx > 3. Convince the sqlx maintainers that they should switch to a different RSA > implementation. > 4. Decide that the security bug is not rc after all. IIUC, RSA is only used when connection isn't through SSL ([sha256_password], [caching_sha256_password]), and in sqlx-mysql, only [used] in sha256_password. Combine with the fact that no package in Debian other than sqlx was built with sqlx-mysql, I'd suggest going either 2 or 5. Patch out the relevant code path in sqlx-mysql, removing its dependency on rsa. [sha256_password]: https://mariadb.com/kb/en/sha256_password-plugin/ [caching_sha256_password]: https://mariadb.com/kb/en/caching_sha2_password-authentication-plugin/ [used]: https://github.com/launchbadge/sqlx/blob/main/sqlx-mysql/src/connection/auth.rs -- Sdrager, Blair Noctis
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature