Skip to content

chore(deps): bump the rust-dependencies group with 3 updates#1841

Merged
chaliy merged 2 commits into
mainfrom
dependabot/cargo/rust-dependencies-ff46dc1dfd
Jun 2, 2026
Merged

chore(deps): bump the rust-dependencies group with 3 updates#1841
chaliy merged 2 commits into
mainfrom
dependabot/cargo/rust-dependencies-ff46dc1dfd

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 2, 2026

Bumps the rust-dependencies group with 3 updates: russh, serial_test and tabled.

Updates russh from 0.60.3 to 0.61.1

Release notes

Sourced from russh's releases.

v0.61.1

Security fixes

GHSA-wwx6-x28x-8259

When compression is negotiated, an attacker can craft a "ZIP bomb" style packet that would bypass the maximum packet size checks. This could allow the attacker to hit the OOM limit and either get the server process killed by the OS, or, prior to russh@0.58.0, aborted. A similar issue existed in the AgentClient as well, which could be triggered by a malformed SSH agent response.

Fixes

v0.61.0

Changes

  • 32fd46f: Reduce russh write-path copies with direct Bytes sends (#695) (Mika Cohen) #695

    • New APIs allow zero-copy writes into channels:
      • Channel::data_bytes
      • Channel::extended_data_bytes
      • ChannelWriteHalf::data_bytes
      • ChannelWriteHalf::extended_data_bytes

  • deps: migrate to stable versions pkcs5 / pkcs8 / ed25519 and loosen prerelease pins (extends #697) (#702) #702 (escapecode)

  • 72b250a: migrate to upstream ssh-key crate and update RustCrypto crates (#709) (Eugene) #709

Security fixes

Part of the hardening efforts by @​mjc

GHSA-hpv4-5h6f-wqr3

  • When a client changed their username between authentication requests, russh server implementation would not correctly reset its internal state (allowed methods and "partial success" state), which could lead to incorrect responses to the client.
    • Note that you still need to handle the case where the client sends a subsequent authentication request with a different username and reset any accumulated authentication state your application might have

GHSA-g9g7-5cgw-6v28

  • When a client sent a keyboard-interactive authentication request, the prompt counter was used to directly allocate memory without verifying it, which can lead to denial of service.

GHSA-76r6-x97p-67vr

  • russh server did not enfore the SSH protocol header validation strictly enough, allowing a client to hold the connection open indefinitely, wasting resources.

GHSA-4r3c-5hpg-58qr

  • "Name list" fields such as algorithm lists were only bounded by the packet size. While the SSH protocol does not impose a limit, in practice it could allow a client to waste resources by spamming huge KEXINIT messages via multiple connections.

Fixes

  • 4186cf2: Refactor block-cipher packet-length probing to avoid unsafe state duplication (#706) (Mika Cohen) #706
  • reject trailing KEX and channel-open payloads (Mika Cohen)
  • reject trailing encrypted message payloads (Mika Cohen)
Commits

Updates serial_test from 3.4.0 to 3.5.0

Release notes

Sourced from serial_test's releases.

v3.5.0

What's Changed

New Contributors

Full Changelog: palfrey/serial_test@v3.4.0...v3.5.0

Commits

Updates tabled from 0.20.0 to 0.21.0

Changelog

Sourced from tabled's changelog.

[0.21.0] - 2026-06-01

Added

Changed

  • Reworked Charset (by @​mvanhorn).
  • Removed TabSize in favor of Charset::tab_size().
  • Changed ColumnNames interface - splited it into ColumnNames and RowNames.

Fixed

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the rust-dependencies group with 3 updates
18c34f6 
Bumps the rust-dependencies group with 3 updates: [russh](https://github.com/warp-tech/russh), [serial_test](https://github.com/palfrey/serial_test) and [tabled](https://github.com/zhiburt/tabled).


Updates `russh` from 0.60.3 to 0.61.1
- [Release notes](https://github.com/warp-tech/russh/releases)
- [Commits](Eugeny/russh@v0.60.3...v0.61.1)

Updates `serial_test` from 3.4.0 to 3.5.0
- [Release notes](https://github.com/palfrey/serial_test/releases)
- [Commits](palfrey/serial_test@v3.4.0...v3.5.0)

Updates `tabled` from 0.20.0 to 0.21.0
- [Changelog](https://github.com/zhiburt/tabled/blob/master/CHANGELOG.md)
- [Commits](https://github.com/zhiburt/tabled/commits)

---
updated-dependencies:
- dependency-name: russh
  dependency-version: 0.61.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: rust-dependencies
- dependency-name: serial_test
  dependency-version: 3.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: rust-dependencies
- dependency-name: tabled
  dependency-version: 0.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: rust-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Jun 2, 2026
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Jun 2, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 bashkit fa768a5 Commit Preview URL

Branch Preview URL		 Jun 02 2026, 09:36 AM

@chaliy
chore(supply-chain): add cargo-vet exemptions for russh 0.61.1 dep tree
fa768a5 
33 new/upgraded packages brought in by russh 0.61.1 (security fix for
GHSA-wwx6-x28x-8259 ZIP-bomb, GHSA-hpv4-5h6f-wqr3, GHSA-g9g7-5cgw-6v28,
GHSA-76r6-x97p-67vr, GHSA-4r3c-5hpg-58qr) lacked cargo-vet entries.

All are well-known RustCrypto / warp-tech crates with established
provenance; exemptions allow the security bump to clear the audit gate.
@chaliy chaliy merged commit ffa783e into main Jun 2, 2026
34 checks passed
@chaliy chaliy deleted the dependabot/cargo/rust-dependencies-ff46dc1dfd branch June 2, 2026 09:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chaliy