Skip to content

fix(deps): update rust crate russh to 0.61.0#219

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/russh-monorepo
May 21, 2026
Merged

fix(deps): update rust crate russh to 0.61.0#219
renovate[bot] merged 1 commit into
mainfrom
renovate/russh-monorepo

Conversation

@renovate

@renovate renovate Bot commented May 21, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
russh dependencies minor 0.60.00.61.0

Release Notes

warp-tech/russh (russh)

v0.61.0

Compare Source

Changes

  • 32fd46f: Reduce russh write-path copies with direct Bytes sends (#​695) (Mika Cohen) #​695

    • New APIs allow zero-copy writes into channels:
      • Channel::data_bytes
      • Channel::extended_data_bytes
      • ChannelWriteHalf::data_bytes
      • ChannelWriteHalf::extended_data_bytes
  • deps: migrate to stable versions pkcs5 / pkcs8 / ed25519 and loosen prerelease pins (extends #​697) (#​702) #​702 (escapecode)

  • 72b250a: migrate to upstream ssh-key crate and update RustCrypto crates (#​709) (Eugene) #​709

Security fixes

Part of the hardening efforts by @​mjc

GHSA-hpv4-5h6f-wqr3
  • When a client changed their username between authentication requests, russh server implementation would not correctly reset its internal state (allowed methods and "partial success" state), which could lead to incorrect responses to the client.
    • Note that you still need to handle the case where the client sends a subsequent authentication request with a different username and reset any accumulated authentication state your application might have
GHSA-g9g7-5cgw-6v28
  • When a client sent a keyboard-interactive authentication request, the prompt counter was used to directly allocate memory without verifying it, which can lead to denial of service.
GHSA-76r6-x97p-67vr
  • russh server did not enfore the SSH protocol header validation strictly enough, allowing a client to hold the connection open indefinitely, wasting resources.
GHSA-4r3c-5hpg-58qr
  • "Name list" fields such as algorithm lists were only bounded by the packet size. While the SSH protocol does not impose a limit, in practice it could allow a client to waste resources by spamming huge KEXINIT messages via multiple connections.

Fixes

  • 4186cf2: Refactor block-cipher packet-length probing to avoid unsafe state duplication (#​706) (Mika Cohen) #​706
  • reject trailing KEX and channel-open payloads (Mika Cohen)
  • reject trailing encrypted message payloads (Mika Cohen)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity

Metric Results
Complexity 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@renovate renovate Bot merged commit 1b24a23 into main May 21, 2026
9 checks passed
@renovate renovate Bot deleted the renovate/russh-monorepo branch May 21, 2026 04:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants