Invd

**Name of the Vulnerable Software and Affected Versions** rsa crate versions prior to 0.9.10 **Description** The `rsa` crate, an RSA implementation written in rust, experiences a panic instead of returning an error during the creation of an RSA private key from its components when one of the prime numbers is equal to `1`. This issue occurs in versions prior to 0.9.10. **Recommendations** Update to rsa crate version 0.9.10 or later.

Name of the Vulnerable Software and Affected Versions: rPGP versions prior to 0.14.1 Description: The issue allows attackers to trigger resource exhaustion vulnerabilities in rPGP by providing crafted messages, affecting general message parsing and decryption with symmetric keys. This can cause out-of-memory conditions and crash the rPGP process or lead to system instability through memory resource exhaustion. The vulnerability also involves excessive memory allocation with values of up to 2TiB or long processing times for some decryption operations involving the `Argon2` function. An attacker can provide a valid `Symmetric Key Encrypted Session Key` packet which uses `Argon2` for String-to-Key hashing with parameters that are excessive, but within specification limits of the RFC9580 OpenPGP standard. Recommendations: For versions prior to 0.14.1, upgrade to version 0.14.2 to fix the vulnerability. As a temporary workaround, consider restricting the use of symmetric keys and limiting the size of incoming messages to prevent excessive memory allocation. Avoid using the `Argon2` function for String-to-Key hashing with excessive parameters until the issue is resolved.