@rustlang ("Rust Language") wrote:
CVE-2022-46176: Cargo didn't verify the host keys when downloading dependencies or registries with SSH, exposing users to MITM.
Rust 1.66.1 will be released later today with the fix. Read the advisory: https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html