Bug 1217629 (CVE-2023-49092)

Summary: VUL-0: CVE-2023-49092: TRACKERBUG: RustCrypto/RSA: Marvin Attack - potential key recovery through timing sidechannels
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/386375/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1217630, 1217631, 1217632, 1217633, 1217634, 1217635, 1217636    

Description SMASH SMASH 2023-11-29 09:23:01 UTC 
RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a
non-constant-time implementation, information about the private key is leaked
through timing information which is observable over the network. An attacker may
be able to use that information to recover the key. There is currently no fix
available. As a workaround, avoid using the RSA crate in settings where
attackers are able to observe timing information, e.g. local use on a
non-compromised computer.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-49092