build(deps): bump russh from 0.57.1 to 0.61.1

[dependabot]

Bumps russh from 0.57.1 to 0.61.1.

Release notes

Sourced from russh's releases.

v0.61.1

Security fixes

GHSA-wwx6-x28x-8259

When compression is negotiated, an attacker can craft a "ZIP bomb" style packet that would bypass the maximum packet size checks. This could allow the attacker to hit the OOM limit and either get the server process killed by the OS, or, prior to russh@0.58.0, aborted. A similar issue existed in the AgentClient as well, which could be triggered by a malformed SSH agent response.

Fixes

• keys/agent: forward full agent signature blob for sk-ecdsa/sk-ed25519 keys (#701) #701 (ztbh)
• accept empty name-list in KEXINIT (RFC 4251 §5) (#710) #710 (Bernardo Meurer)

v0.61.0

Changes

• 32fd46f: Reduce russh write-path copies with direct Bytes sends (#695) (Mika Cohen) #695

  • New APIs allow zero-copy writes into channels:
    • Channel::data_bytes
    • Channel::extended_data_bytes
    • ChannelWriteHalf::data_bytes
    • ChannelWriteHalf::extended_data_bytes

• deps: migrate to stable versions pkcs5 / pkcs8 / ed25519 and loosen prerelease pins (extends #697) (#702) #702 (escapecode)

• 72b250a: migrate to upstream ssh-key crate and update RustCrypto crates (#709) (Eugene) #709

Security fixes

Part of the hardening efforts by @​mjc

GHSA-hpv4-5h6f-wqr3

• When a client changed their username between authentication requests, russh server implementation would not correctly reset its internal state (allowed methods and "partial success" state), which could lead to incorrect responses to the client.
  • Note that you still need to handle the case where the client sends a subsequent authentication request with a different username and reset any accumulated authentication state your application might have

GHSA-g9g7-5cgw-6v28

• When a client sent a keyboard-interactive authentication request, the prompt counter was used to directly allocate memory without verifying it, which can lead to denial of service.

GHSA-76r6-x97p-67vr

• russh server did not enfore the SSH protocol header validation strictly enough, allowing a client to hold the connection open indefinitely, wasting resources.

GHSA-4r3c-5hpg-58qr

• "Name list" fields such as algorithm lists were only bounded by the packet size. While the SSH protocol does not impose a limit, in practice it could allow a client to waste resources by spamming huge KEXINIT messages via multiple connections.

Fixes

• 4186cf2: Refactor block-cipher packet-length probing to avoid unsafe state duplication (#706) (Mika Cohen) #706
• reject trailing KEX and channel-open payloads (Mika Cohen)
• reject trailing encrypted message payloads (Mika Cohen)

... (truncated)

Commits

• a2ffd0f v0.61.1
• 2692a6f Merge commit from fork
• 93bc2c9 add ztbh as a contributor for code (#712)
• 7f585b5 fix: accept empty name-list in KEXINIT (RFC 4251 §5) (#710)
• 0e1b6fb fix(keys/agent): forward full agent signature blob for sk-ecdsa/sk-ed25519 ke...
• 264a885 Add GitArena to adopters (#698)
• 04c0acf Add Calagopus to adopters (#711)
• 1947d6b v0.61.0
• 22295fa Merge commit from fork
• 311f6cf Merge commit from fork
• Additional commits viewable in compare view