Merge pull request #1060 from pietroalbini/pa-cve-update

Mention additional mitigation for CVE-2022-46176

Author: Mark-Simulacrum

posts/2023-01-10-cve-2022-46176.md

@@ -52,6 +52,17 @@ message detailing how to add that public key to the list of trusted keys. Note
 that this might break your automated builds if the hosts you clone dependencies
 or indexes from are not already trusted.
 
+If you can't upgrade to Rust 1.66.1 yet, we recommend configuring Cargo to use
+the `git` CLI instead of its built-in git support. That way, all git network
+operations will be performed by the `git` CLI, which is not affected by this
+vulnerability. You can do so by adding this snippet to your [Cargo
+configuration file](https://doc.rust-lang.org/cargo/reference/config.html):
+
+```toml
+[net]
+git-fetch-with-cli = true
+```
+
 ## Acknowledgments
 
 Thanks to the Julia Security Team for disclosing this to us according to our
@@ -63,6 +74,8 @@ patch, Pietro Albini for coordinating the disclosure and writing this advisory,
 and Josh Stone, Josh Triplett and Jacob Finkelman for advising during the
 disclosure.
 
+*Updated on 2023-01-10 at 21:30 UTC to include additional mitigations.*
+
 [1]: https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf
 [2]: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176
 [3]: https://www.rust-lang.org/policies/security