Upstream Rust releases this 1.66.0 CVE today
Full details here: https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
All Rust versions containing Cargo before 1.66.1 are vulnerable
Patch files for Rust 1.66.0 like we have are here (we shouldn't need these as we can autogen dev-lang/rust): https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176