Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 890371 (CVE-2022-46176) - <dev-lang/rust{-bin,}-1.66.1: cargo lacking ssh host key checking
Summary: <dev-lang/rust{-bin,}-1.66.1: cargo lacking ssh host key checking
Alias: CVE-2022-46176
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa? cleanup]
Depends on: 890541
  Show dependency tree
Reported: 2023-01-10 22:24 UTC by John Helmert III
Modified: 2023-02-27 15:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-10 22:24:11 UTC
From URL:

"## Overview

When an SSH client establishes communication with a server, to prevent MITM
attacks the client should check whether it already communicated with that
server in the past and what the server's public key was back then. If the key
changed since the last connection, the connection must be aborted as a MITM
attack is likely taking place.

It was discovered that Cargo never implemented such checks, and performed no
validation on the server's public key, leaving Cargo users vulnerable to MITM

Fix is in 1.66.1, but 1.66 patches are here:
Comment 1 Larry the Git Cow gentoo-dev 2023-01-11 20:46:30 UTC
The bug has been referenced in the following commit(s):

commit bff393adcf173781fd00560a306f6597ead75208
Author:     Georgy Yakovlev <>
AuthorDate: 2023-01-11 20:35:46 +0000
Commit:     Georgy Yakovlev <>
CommitDate: 2023-01-11 20:40:09 +0000

    dev-lang/rust: add 1.66.1, drop 1.66.0
    Signed-off-by: Georgy Yakovlev <>

 dev-lang/rust/Manifest                                   | 4 ++--
 dev-lang/rust/{rust-1.66.0.ebuild => rust-1.66.1.ebuild} | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 2 Georgy Yakovlev archtester gentoo-dev 2023-01-11 20:51:28 UTC
no need for separate patches (because of -bin), I'll simply drop <1.66.1

was going to stabilize 1.66.x anyway.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-12 02:23:19 UTC