Skip to content

chore(deps): bump russh from 0.60.3 to 0.61.1#17

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/russh-0.61.1
Open

chore(deps): bump russh from 0.60.3 to 0.61.1#17
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/russh-0.61.1

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github May 29, 2026

Bumps russh from 0.60.3 to 0.61.1.

Release notes

Sourced from russh's releases.

v0.61.1

Security fixes

GHSA-wwx6-x28x-8259

When compression is negotiated, an attacker can craft a "ZIP bomb" style packet that would bypass the maximum packet size checks. This could allow the attacker to hit the OOM limit and either get the server process killed by the OS, or, prior to russh@0.58.0, aborted. A similar issue existed in the AgentClient as well, which could be triggered by a malformed SSH agent response.

Fixes

v0.61.0

Changes

  • 32fd46f: Reduce russh write-path copies with direct Bytes sends (#695) (Mika Cohen) #695

    • New APIs allow zero-copy writes into channels:
      • Channel::data_bytes
      • Channel::extended_data_bytes
      • ChannelWriteHalf::data_bytes
      • ChannelWriteHalf::extended_data_bytes

  • deps: migrate to stable versions pkcs5 / pkcs8 / ed25519 and loosen prerelease pins (extends #697) (#702) #702 (escapecode)

  • 72b250a: migrate to upstream ssh-key crate and update RustCrypto crates (#709) (Eugene) #709

Security fixes

Part of the hardening efforts by @​mjc

GHSA-hpv4-5h6f-wqr3

  • When a client changed their username between authentication requests, russh server implementation would not correctly reset its internal state (allowed methods and "partial success" state), which could lead to incorrect responses to the client.
    • Note that you still need to handle the case where the client sends a subsequent authentication request with a different username and reset any accumulated authentication state your application might have

GHSA-g9g7-5cgw-6v28

  • When a client sent a keyboard-interactive authentication request, the prompt counter was used to directly allocate memory without verifying it, which can lead to denial of service.

GHSA-76r6-x97p-67vr

  • russh server did not enfore the SSH protocol header validation strictly enough, allowing a client to hold the connection open indefinitely, wasting resources.

GHSA-4r3c-5hpg-58qr

  • "Name list" fields such as algorithm lists were only bounded by the packet size. While the SSH protocol does not impose a limit, in practice it could allow a client to waste resources by spamming huge KEXINIT messages via multiple connections.

Fixes

  • 4186cf2: Refactor block-cipher packet-length probing to avoid unsafe state duplication (#706) (Mika Cohen) #706
  • reject trailing KEX and channel-open payloads (Mika Cohen)
  • reject trailing encrypted message payloads (Mika Cohen)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump russh from 0.60.3 to 0.61.1
7cb0524 
Bumps [russh](https://github.com/warp-tech/russh) from 0.60.3 to 0.61.1.
- [Release notes](https://github.com/warp-tech/russh/releases)
- [Commits](Eugeny/russh@v0.60.3...v0.61.1)

---
updated-dependencies:
- dependency-name: russh
  dependency-version: 0.61.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels May 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants