Skip to content

chore(deps): bump russh from 0.37.1 to 0.40.2#6

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/russh-0.40.2
Open

chore(deps): bump russh from 0.37.1 to 0.40.2#6
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/russh-0.40.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Dec 18, 2023

Copy link
Copy Markdown

Bumps russh from 0.37.1 to 0.40.2.

Release notes

Sourced from russh's releases.

v0.40.2

Security fixes

CVE-2023-48795 - Terrapin Attack [a355c62]

A flaw in the SSH protocol itself allows an active MitM attacker to prevent the client & server from negotiating OpenSSH security extensions, or, with AsyncSSH, take control of the user's session.

This release adds the support for the kex-strict-*-v00@openssh.com extensions designed by OpenSSH specifically to prevent this attack.

More info: https://terrapin-attack.com

v0.40.1

Changes

  • Explicitly set minimum supported Rust version (1.65)

v0.40.0

Breaking changes

  • acd744a: ChannelStream rebuild (Maya the bee) #181
    • ChannelStream is now generic over the same type as the parent Channel
    • You can now obtain separate AsyncRead and AsyncWrite handles for a channel, as well as its extended streams with make_reader(_ext) and make_writer(_ext).

Changes

  • 92660ef: Support for NIST P-256 public keys (George Hopkins) #208
  • 4a683d2: Add client-sent keepalives (Milo Mirate) #196
  • c4a0688: Add method to read known host key (George Hopkins) #205
  • 7c03dd9: add sftp client example (Roman) #184
  • 3463ed0: Fix ChannelMsg::Close docs (Lucas Kent) #212
  • cd59590: Added client-side inactivity timeout (Adrian Müller) #211
  • c0f3458: added Server::handle_session_error and session closure logging

Fixes

  • d0908de: fixed #218 - fixed padding calculation, AES-GCM rekey and hmac-sha2-256(-etm) MAC
  • 52e5eaa: Use ChannelMsg::WindowAdjusted during data transfer (Joe Grund) #180
  • e81db83: Make winapi dep windows only (Lucas Kent) #195
  • a904a08: Fix handling of key constraints (George Hopkins) #203
  • 72afa2b: Reduce busywaiting in ChannelStream components (Milo Mirate) #197
  • 9c25fa2: Support hashed hostnames in known_hosts file (George Hopkins) #200
  • c66f4b0: fixed #198 - agent server - ed25519 key parsing

v0.39.0

Breaking changes

  • The behaviour or server::Handler::auth_publickey method has been changed.
    • Previously, this method was called before the public key's signature was verified and if you didn't pay attention to the documentation, your application might interpret this call as a successful public key authentication. In reality, it's only meant to decide whether to accept the public key offer from the client or not.
    • Now, the method is called after the signature is verified and the return value is used to decide whether to accept the authentication or not.
    • The old method has been renamed to auth_publickey_offer and will accept all offers by default.

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [russh](https://github.com/warp-tech/russh) from 0.37.1 to 0.40.2.
- [Release notes](https://github.com/warp-tech/russh/releases)
- [Commits](Eugeny/russh@v0.37.1...v0.40.2)

---
updated-dependencies:
- dependency-name: russh
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Dec 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants