Bump russh from 0.40.2 to 0.60.3

[dependabot]

Bumps russh from 0.40.2 to 0.60.3.

Release notes

Sourced from russh's releases.

v0.60.3

Security fixes

CVE-2026-46673

• a2d48a7 (Mika Cohen)

When compression is negotiated, an attacker can craft a "ZIP bomb" style packet that would bypass the maximum packet size checks. This could allow the attacker to hit the OOM limit and either get the server process killed by the OS, or, prior to russh@0.58.0, aborted. A similar issue existed in the AgentClient as well, which could be triggered by a malformed SSH agent response.

v0.60.2

Changes

• negotiation: exclude SHA-1 MACs from Preferred::DEFAULT (#690) #690 (Derek Zar—Codebridge)

Fixes

• c31cbc9: Fix channel write ordering with pending data (#693) (Mika Cohen) #693
• 2a49916: fixed #697 - pin all pre-release dependencies (Eugene)

v0.60.1

Security fixes

GHSA-f5v4-2wr6-hqmg in 6c3c80a

This DoS vulnerability allowed an unauthenticated user to trigger an out-of-memory condition in a russh based server if keyboard-interactive authentication is allowed. A malicious authentication packet could trigger a multi-GB memory allocation likely leading to the process getting killed by the OOM killer.

Fixes

• a9057ed: fixed #687 - PKCS8 key encryption not working (#688) (Eugene) #688

v0.60.0

Changes

• dad8de6: use rand 0.10 (#673) (Joe Grund) #673

Fixes

• kex: separate GEX peer request validation from client config (#684) #684 (Artem Medvedev)

v0.59.0

Changes

• auth: add certificate-based authentication via SSH agent (#632) #632 (wi-adam)
• 6996711: Replace libcrux-ml-kem with RustCrypto ml-kem (#660) (kpcyrd) #660

Fixes

• 084dbcf: Replace Deprecated Function Calls to criterion::black_box() (#683) (Roger Knecht) #683
• debc93c: Update dev-dependencies (env_logger, clap, termion) (#671) (kpcyrd) #671
• 24d7527: Forward ChannelMsg::Close to channel before dropping sender (#674) (Corey Leavitt) #674
• bb9cc42: Fix and harden deferred channel EOF/CLOSE replay after rekey (#670) (Mika Cohen) #670
• 3047787: Reduce size of ReadSshIdBuffer, add unit tests (#672) (kpcyrd) #672

... (truncated)

Commits

• fab67f8 v0.60.3
• 4a27687 fmt
• a2d48a7 Merge commit from fork
• c4ba20d v0.60.2
• 2a49916 fixed #697 - pin all pre-release dependencies
• c31cbc9 Fix channel write ordering with pending data (#693)
• 343a4ba Fix CI failures on main (#694)
• 5cceacf fix(negotiation): exclude SHA-1 MACs from Preferred::DEFAULT (#690)
• 5a6ca29 v0.60.1
• 6c3c80a Merge commit from fork
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #7.