From URL: "## Overview When an SSH client establishes communication with a server, to prevent MITM attacks the client should check whether it already communicated with that server in the past and what the server's public key was back then. If the key changed since the last connection, the connection must be aborted as a MITM attack is likely taking place. It was discovered that Cargo never implemented such checks, and performed no validation on the server's public key, leaving Cargo users vulnerable to MITM attacks." Fix is in 1.66.1, but 1.66 patches are here: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff393adcf173781fd00560a306f6597ead75208 commit bff393adcf173781fd00560a306f6597ead75208 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-01-11 20:35:46 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-01-11 20:40:09 +0000 dev-lang/rust: add 1.66.1, drop 1.66.0 Bug: https://bugs.gentoo.org/890371 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust/Manifest | 4 ++-- dev-lang/rust/{rust-1.66.0.ebuild => rust-1.66.1.ebuild} | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)
no need for separate patches (because of -bin), I'll simply drop <1.66.1 was going to stabilize 1.66.x anyway.
Thanks!
