release: v2.2.3

inureyes · inureyes · commit b116ff095787 · 2026-05-25T19:37:39.000+09:00
Sync both internal russh forks to upstream stable (bssh-russh to russh 0.61.1, bssh-russh-sftp to russh-sftp 2.3.0) with the new RustCrypto generation, unify ssh-key on 0.7.0-rc.10, and patch RUSTSEC-2026-0009 by pinning time to 0.3.47. Updates Cargo.toml/Cargo.lock, README, CHANGELOG, debian/changelog, and the man pages.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.2.3] - 2026-05-25
+
+### Security
+- **Patch RUSTSEC-2026-0009, a stack-exhaustion denial of service in `time`** (#208). `cargo audit` flagged `time` 0.3.45 (medium, 6.8), pulled transitively via `ratatui` 0.30 to `ratatui-widgets` to `time`. Bumped `time` to 0.3.47 (with `num-conv` 0.1.0 to 0.2.2 and `time-core` 0.1.7 to 0.1.8), a lockfile-only change since `ratatui`'s requirement already permits it; `cargo audit` now reports 0 vulnerabilities. Note `time` 0.3.47 is held with a precise lockfile pin because its MSRV is above the workspace's declared `rust-version = 1.85`, so a plain MSRV-aware `cargo update` will otherwise revert it to the vulnerable 0.3.45.
+
+### Dependencies
+- **Sync both internal russh forks to their latest upstream releases and unify `ssh-key`** (#207). `bssh-russh` advances from a russh 0.60.3 base to **0.61.1**, adopting the new RustCrypto generation upstream migrated to: `sha2` / `sha1` 0.10 to 0.11, `hmac` 0.12 to 0.13, `aes` 0.8 to 0.9, `cbc` 0.1 to 0.2, `ctr` 0.9 to 0.10, `digest` 0.10 to 0.11, `pbkdf2` 0.12 to 0.13, `ssh-key` to 0.7.0-rc.10, and `ssh-encoding` to 0.3.0-rc.9. These cannot be bumped standalone because russh's source targets the old `cipher` 0.4 / `digest` 0.10 API; upstream moved the whole cohort together in 0.61. The high-frequency PTY `Handle::data()` drain fix is re-ported onto the new `server/session.rs` (confirmed still absent upstream in 0.61.1, so the fork remains necessary), three patches now merged upstream are removed (`channel-write-ordering`, `agent-frame-length-cap`, `sha1-mac-exclude`) leaving only `handle-data-fix.patch`, and a PTY regression test is added at `crates/bssh-russh/tests/pty_handle_data.rs`. `bssh-russh-sftp` does a full source sync from upstream 2.1.2 to **2.3.0** with the two pipelined File I/O helpers (`write_all_pipelined` / `read_to_writer_pipelined`) re-applied on top; the bssh SFTP server is adapted to the 2.3.0 `server::Handler::Error` change (now `Into<StatusReply>`, which also surfaces the human-readable error message in `SSH_FXP_STATUS`). In the main crate, `ssh-key` is unified to `=0.7.0-rc.10` so the workspace resolves a single `ssh-key` version instead of 0.6 and 0.7-rc side by side, `argon2` gains its `std` feature (restoring `rand_core`'s `OsRng` after the generation shift), and transitive deps are refreshed via `cargo update`. Both fork crates are published to crates.io at `bssh-russh` 0.61.1 and `bssh-russh-sftp` 2.3.0.
+
+### Changed
+- **Fork maintenance tooling and docs refreshed** (#207). Both forks' `create-patch.sh` are now self-contained: they clone the relevant upstream into a temp directory instead of relying on a gitignored `references/` checkout, write the correct current patch names, and fall back to the default branch where upstream publishes no git tags. `sync-upstream.sh` applies every `patches/*.patch` with reverse-apply upstream detection, and both fork READMEs are rewritten for the new versions.
+
+### CI/CD
+- Bump `action-gh-release` to v3 for the Node 24 runtime, and adjust the download shield badge.
+
 ## [2.2.2] - 2026-05-25
 
 ### Fixed
@@ -868,6 +882,7 @@ None
 - russh library for native SSH implementation
 - Cross-platform support (Linux and macOS)
 
+[2.2.3]: https://github.com/lablup/bssh/compare/v2.2.2...v2.2.3
 [2.2.2]: https://github.com/lablup/bssh/compare/v2.2.1...v2.2.2
 [2.2.1]: https://github.com/lablup/bssh/compare/v2.2.0...v2.2.1
 [2.2.0]: https://github.com/lablup/bssh/compare/v2.1.4...v2.2.0
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -7,7 +7,7 @@ members = [
 
 [package]
 name = "bssh"
-version = "2.2.2"
+version = "2.2.3"
 authors = ["Jeongkyu Shin <inureyes@gmail.com>"]
 description = "Parallel SSH command execution tool for cluster management"
 license = "Apache-2.0"
diff --git a/README.md b/README.md
@@ -12,6 +12,7 @@ A high-performance SSH client with **SSH-compatible syntax** for both single-hos
 
 ## Recent Updates
 
+- **v2.2.3 (2026/05/25):** Sync both internal russh forks to upstream stable (bssh-russh to russh 0.61.1, bssh-russh-sftp to russh-sftp 2.3.0), advancing the bundled RustCrypto chain (sha2/sha1 0.11, hmac 0.13, aes 0.9, digest 0.11, pbkdf2 0.13) and collapsing ssh-key onto a single 0.7.0-rc.10; re-port the high-frequency PTY `Handle::data` drain fix onto the new server session loop, add a dedicated regression test for it, and retire three patches now merged upstream (#207). Patch RUSTSEC-2026-0009 (time stack-exhaustion DoS) by pinning `time` to 0.3.47 (#208).
 - **v2.2.2 (2026/05/25):** Keep idle SSH sessions alive (#206): lower the default `--server-alive-interval` from 60s to 30s so keepalive traffic beats common one-minute idle reapers, normalize `--server-alive-interval 0` to fully disabled keepalive instead of a zero-duration timer, and leave the client-side `inactivity_timeout` disabled so healthy interactive sessions (tmux, idle shells, long-running REPLs) are never closed by bssh itself. Dead-peer detection now resolves in about 120s instead of 180s.
 - **v2.2.1 (2026/05/19):** Workspace dependency upgrade pass and a controlled sync of both internal russh forks to upstream stable, picking up the SSH-agent half of CVE-2026-46673 (256 KiB frame-length cap forward-port from upstream russh `a2d48a7`) and the cryptovec hardening half via `russh-cryptovec` 0.60.3. Bumps `lru` 0.17 to 0.18, `signal-hook` 0.3 to 0.4, the `opentelemetry` family 0.31 to 0.32, and `nix` 0.31.3; syncs `bssh-russh` to upstream russh 0.60.3 and `bssh-russh-sftp` to upstream russh-sftp 2.1.2 with the two pipelined File I/O helpers re-ported on top of the new `Features` API (#203). Adds the missing `[dev-dependencies]` block to `bssh-russh` so its 75 inline tests (agent round-trip, PKCS#8 decoding, channel lifecycle, GEX, compress) compile and run for the first time since the fork's inception (#204). Drops a redundant `.into_iter()` in the synced SFTP session code that rustc 1.95's stricter `clippy::useless_conversion` lint flags (#205).
 - **v2.2.0 (2026/05/18):** Collect `--password` once up-front and share the secret across all parallel SSH tasks via `Arc<Password>`, fixing per-node stdin races and progress-UI interleaving; add `BSSH_PASSWORD` env support; warn (on stderr) when `-S`/`--sudo-password` is passed to subcommands where it has no effect (`ping`, `upload`, `download`, `list`, `cache-stats`) (#200, #201). Resolve all cargo-audit findings by replacing `atty` with `std::io::IsTerminal` and acknowledging the unfixable rsa Marvin Attack advisory in `.cargo/audit.toml` (#198). Drop five stale or redundant direct dependencies (`arrayvec`, `ctrlc`, `directories`, `signal-hook 0.4`, plus the macOS objc2/block2/dispatch2 chain) by migrating to `std::sync::LazyLock`/`OnceLock`, `tokio::signal::ctrl_c`, and `dirs` (#199).
diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,22 @@
+bssh (2.2.3-1~jammy1) jammy; urgency=medium
+
+  * v2.2.3
+  ### Dependencies
+  - Sync both internal russh forks to upstream stable (#207). Advance
+    bssh-russh to russh 0.61.1 and bssh-russh-sftp to russh-sftp 2.3.0,
+    bringing the current RustCrypto generation (sha2/sha1 0.11, hmac
+    0.13, aes 0.9, digest 0.11, pbkdf2 0.13) and unifying ssh-key on a
+    single 0.7.0-rc.10. Re-port the high-frequency PTY Handle::data
+    drain fix onto the new server session loop, add a regression test,
+    and retire three patches now merged upstream.
+  ### Security
+  - Patch RUSTSEC-2026-0009 (#208), a stack-exhaustion denial of
+    service in time 0.3.45 pulled transitively via ratatui. Bump time
+    to 0.3.47 (lockfile only); cargo audit now reports zero
+    vulnerabilities.
+
+ -- Jeongkyu Shin <inureyes@gmail.com>  Mon, 25 May 2026 12:00:00 +0900
+
 bssh (2.2.2-1~jammy1) jammy; urgency=medium
 
   * v2.2.2
diff --git a/docs/man/bssh-keygen.1 b/docs/man/bssh-keygen.1
@@ -1,6 +1,6 @@
 .\" Manpage for bssh-keygen
 .\" Contact the maintainers to correct errors or typos.
-.TH BSSH-KEYGEN 1 "May 2026" "v2.2.2" "User Commands"
+.TH BSSH-KEYGEN 1 "May 2026" "v2.2.3" "User Commands"
 
 .SH NAME
 bssh-keygen \- SSH key pair generation tool
diff --git a/docs/man/bssh-server.8 b/docs/man/bssh-server.8
@@ -1,6 +1,6 @@
 .\" Manpage for bssh-server
 .\" Contact the maintainers to correct errors or typos.
-.TH BSSH-SERVER 8 "May 2026" "v2.2.2" "System Administration Commands"
+.TH BSSH-SERVER 8 "May 2026" "v2.2.3" "System Administration Commands"
 
 .SH NAME
 bssh-server \- Backend.AI SSH Server for container environments
diff --git a/docs/man/bssh.1 b/docs/man/bssh.1
@@ -1,6 +1,6 @@
 .\" Manpage for bssh
 .\" Contact the maintainers to correct errors or typos.
-.TH BSSH 1 "May 2026" "v2.2.2" "bssh Manual"
+.TH BSSH 1 "May 2026" "v2.2.3" "bssh Manual"
 
 .SH NAME
 bssh \- Broadcast SSH - SSH-compatible client with parallel execution capabilities
