Skip to content

chore(deps): bump russh from 0.58.0 to 0.60.3#516

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/russh-0.60.1
Open

chore(deps): bump russh from 0.58.0 to 0.60.3#516
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/russh-0.60.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026
edited
Loading

Copy link
Copy Markdown

Bumps russh from 0.58.0 to 0.60.3.

Release notes

Sourced from russh's releases.

v0.60.3

Security fixes

CVE-2026-46673

  • a2d48a7 (Mika Cohen)

When compression is negotiated, an attacker can craft a "ZIP bomb" style packet that would bypass the maximum packet size checks. This could allow the attacker to hit the OOM limit and either get the server process killed by the OS, or, prior to russh@0.58.0, aborted. A similar issue existed in the AgentClient as well, which could be triggered by a malformed SSH agent response.

v0.60.2

Changes

Fixes

  • c31cbc9: Fix channel write ordering with pending data (#693) (Mika Cohen) #693
  • 2a49916: fixed #697 - pin all pre-release dependencies (Eugene)

v0.60.1

Security fixes

GHSA-f5v4-2wr6-hqmg in 6c3c80a

This DoS vulnerability allowed an unauthenticated user to trigger an out-of-memory condition in a russh based server if keyboard-interactive authentication is allowed. A malicious authentication packet could trigger a multi-GB memory allocation likely leading to the process getting killed by the OOM killer.

Fixes

  • a9057ed: fixed #687 - PKCS8 key encryption not working (#688) (Eugene) #688

v0.60.0

Changes

  • dad8de6: use rand 0.10 (#673) (Joe Grund) #673

Fixes

v0.59.0

Changes

  • auth: add certificate-based authentication via SSH agent (#632) #632 (wi-adam)
  • 6996711: Replace libcrux-ml-kem with RustCrypto ml-kem (#660) (kpcyrd) #660

Fixes

  • 084dbcf: Replace Deprecated Function Calls to criterion::black_box() (#683) (Roger Knecht) #683
  • debc93c: Update dev-dependencies (env_logger, clap, termion) (#671) (kpcyrd) #671
  • 24d7527: Forward ChannelMsg::Close to channel before dropping sender (#674) (Corey Leavitt) #674
  • bb9cc42: Fix and harden deferred channel EOF/CLOSE replay after rekey (#670) (Mika Cohen) #670
  • 3047787: Reduce size of ReadSshIdBuffer, add unit tests (#672) (kpcyrd) #672

... (truncated)

Commits

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot @github

dependabot Bot commented on behalf of github Apr 27, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: rust. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot changed the title chore(deps): bump russh from 0.58.0 to 0.60.1 chore(deps): bump russh from 0.58.0 to 0.60.2 May 5, 2026
@dependabot dependabot Bot force-pushed the dependabot/cargo/russh-0.60.1 branch 3 times, most recently from 79a3cd6 to 53d10ee Compare May 11, 2026 06:23
@dependabot dependabot Bot force-pushed the dependabot/cargo/russh-0.60.1 branch 2 times, most recently from c9fc7a5 to bb9a500 Compare May 14, 2026 09:18
@dependabot
chore(deps): bump russh from 0.58.0 to 0.60.3
14c203e 
Bumps [russh](https://github.com/warp-tech/russh) from 0.58.0 to 0.60.3.
- [Release notes](https://github.com/warp-tech/russh/releases)
- [Commits](Eugeny/russh@v0.58.0...v0.60.3)

---
updated-dependencies:
- dependency-name: russh
  dependency-version: 0.60.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump russh from 0.58.0 to 0.60.2 chore(deps): bump russh from 0.58.0 to 0.60.3 May 19, 2026
@dependabot dependabot Bot force-pushed the dependabot/cargo/russh-0.60.1 branch from bb9a500 to 14c203e Compare May 19, 2026 06:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants