Skip to content

build(deps): bump russh-cryptovec from 0.59.0 to 0.61.0 in the cargo group across 0 directory#20

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/cargo-f9499ef6b4
Open

build(deps): bump russh-cryptovec from 0.59.0 to 0.61.0 in the cargo group across 0 directory#20
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/cargo-f9499ef6b4

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github May 21, 2026

Updates russh-cryptovec from 0.59.0 to 0.61.0

Release notes

Sourced from russh-cryptovec's releases.

v0.61.0

Changes

  • 32fd46f: Reduce russh write-path copies with direct Bytes sends (#695) (Mika Cohen) #695

    • New APIs allow zero-copy writes into channels:
      • Channel::data_bytes
      • Channel::extended_data_bytes
      • ChannelWriteHalf::data_bytes
      • ChannelWriteHalf::extended_data_bytes

  • deps: migrate to stable versions pkcs5 / pkcs8 / ed25519 and loosen prerelease pins (extends #697) (#702) #702 (escapecode)

  • 72b250a: migrate to upstream ssh-key crate and update RustCrypto crates (#709) (Eugene) #709

Security fixes

Part of the hardening efforts by @​mjc

GHSA-hpv4-5h6f-wqr3

  • When a client changed their username between authentication requests, russh server implementation would not correctly reset its internal state (allowed methods and "partial success" state), which could lead to incorrect responses to the client.
    • Note that you still need to handle the case where the client sends a subsequent authentication request with a different username and reset any accumulated authentication state your application might have

GHSA-g9g7-5cgw-6v28

  • When a client sent a keyboard-interactive authentication request, the prompt counter was used to directly allocate memory without verifying it, which can lead to denial of service.

GHSA-76r6-x97p-67vr

  • russh server did not enfore the SSH protocol header validation strictly enough, allowing a client to hold the connection open indefinitely, wasting resources.

GHSA-4r3c-5hpg-58qr

  • "Name list" fields such as algorithm lists were only bounded by the packet size. While the SSH protocol does not impose a limit, in practice it could allow a client to waste resources by spamming huge KEXINIT messages via multiple connections.

Fixes

  • 4186cf2: Refactor block-cipher packet-length probing to avoid unsafe state duplication (#706) (Mika Cohen) #706
  • reject trailing KEX and channel-open payloads (Mika Cohen)
  • reject trailing encrypted message payloads (Mika Cohen)

v0.60.3

Security fixes

CVE-2026-46673

  • a2d48a7 (Mika Cohen)

When compression is negotiated, an attacker can craft a "ZIP bomb" style packet that would bypass the maximum packet size checks. This could allow the attacker to hit the OOM limit and either get the server process killed by the OS, or, prior to russh@0.58.0, aborted. A similar issue existed in the AgentClient as well, which could be triggered by a malformed SSH agent response.

v0.60.2

Changes

... (truncated)

Commits
  • 1947d6b v0.61.0
  • 22295fa Merge commit from fork
  • 311f6cf Merge commit from fork
  • b14354e Merge commit from fork
  • 72b250a Migrate to upstream ssh-key and update crypto crates (#709)
  • fc6e3ab transport: reject trailing encrypted message payloads
  • b0961ad parser: reject trailing KEX and channel-open payloads
  • 32fd46f Reduce russh write-path copies with direct Bytes sends (#695)
  • 4186cf2 Refactor block-cipher packet-length probing to avoid unsafe state duplication...
  • 63674d9 fix(deps): migrate to stable pkcs5 / pkcs8 / ed25519 and loosen prerelease pi...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump russh-cryptovec in the cargo group across 0 directory
2b03ae2 
Updates `russh-cryptovec` from 0.59.0 to 0.61.0
- [Release notes](https://github.com/warp-tech/russh/releases)
- [Commits](Eugeny/russh@v0.59.0...v0.61.0)

---
updated-dependencies:
- dependency-name: russh-cryptovec
  dependency-version: 0.61.0
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants