Hi Salvatore,
thanks for filing this bug. > Please see https://rustsec.org/advisories/RUSTSEC-2023-0052.html . This page is giving a very general description of the problem: >> When this crate is given a pathological certificate chain to validate, it >> will spend CPU time exponential with the number of candidate certificates at >> each step of path building. >>Both TLS clients and TLS servers that accept client certificate are affected. The page is also indicating that the issue was fixed in version 0.22.1, hence, I've packaged that version and closed this bug. While this might not address all concerns, (at least https://github.com/briansmith/webpki/issues/69 indicates that there is more work to do), https://github.com/briansmith/webpki/issues/69#issuecomment-1699894848 indicates: >> There is a webpki 0.22.1 release that implements the signature count >> mitigation. Additional, you are asking: > Should rust-webpki be removed from Debian testing and unstable? ``` siretart@coccia:~$ dak rm -nR rust-webpki Will remove the following packages from unstable: librust-webpki-dev | 0.22.0-2 | amd64, arm64, armel, armhf, i386 rust-webpki | 0.22.0-2 | source Maintainer: Debian Rust Maintainers <pkg-rust-maintain...@alioth-lists.debian.net> ------------------- Reason ------------------- ---------------------------------------------- Checking reverse dependencies... No dependency problem found. ``` I think this indicates that it can indeed be safely removed from Debian? I'm CC'ing developers that have made uploads to this packages in the past for additiponal opinions as I suspect the issue is more subtle than that. -rt
