build: raise workspace MSRV to Rust 1.88 for the time 0.3.47 security fix

time 0.3.47 (the RUSTSEC-2026-0009 fix in v2.2.3) requires Rust 1.88, so declare rust-version 1.88 on the root bssh crate and bssh-russh. This keeps the MSRV-aware resolver from reverting time to the vulnerable 0.3.45 on a future cargo update, and notes the new minimum Rust in the README, CHANGELOG, and debian changelog.

Author: inureyes

CHANGELOG.md

@@ -10,7 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [2.2.3] - 2026-05-25
 
 ### Security
-- **Patch RUSTSEC-2026-0009, a stack-exhaustion denial of service in `time`** (#208). `cargo audit` flagged `time` 0.3.45 (medium, 6.8), pulled transitively via `ratatui` 0.30 to `ratatui-widgets` to `time`. Bumped `time` to 0.3.47 (with `num-conv` 0.1.0 to 0.2.2 and `time-core` 0.1.7 to 0.1.8), a lockfile-only change since `ratatui`'s requirement already permits it; `cargo audit` now reports 0 vulnerabilities. Note `time` 0.3.47 is held with a precise lockfile pin because its MSRV is above the workspace's declared `rust-version = 1.85`, so a plain MSRV-aware `cargo update` will otherwise revert it to the vulnerable 0.3.45.
+- **Patch RUSTSEC-2026-0009, a stack-exhaustion denial of service in `time`** (#208). `cargo audit` flagged `time` 0.3.45 (medium, 6.8), pulled transitively via `ratatui` 0.30 to `ratatui-widgets` to `time`. Bumped `time` to 0.3.47 (with `num-conv` 0.1.0 to 0.2.2 and `time-core` 0.1.7 to 0.1.8), a lockfile-only change since `ratatui`'s requirement already permits it; `cargo audit` now reports 0 vulnerabilities. Because `time` 0.3.47 requires Rust 1.88, the workspace minimum supported Rust version (`rust-version`) is raised from 1.85 to 1.88; this keeps the MSRV-aware resolver from reverting `time` to the vulnerable 0.3.45 on a future `cargo update`.
 
 ### Dependencies
 - **Sync both internal russh forks to their latest upstream releases and unify `ssh-key`** (#207). `bssh-russh` advances from a russh 0.60.3 base to **0.61.1**, adopting the new RustCrypto generation upstream migrated to: `sha2` / `sha1` 0.10 to 0.11, `hmac` 0.12 to 0.13, `aes` 0.8 to 0.9, `cbc` 0.1 to 0.2, `ctr` 0.9 to 0.10, `digest` 0.10 to 0.11, `pbkdf2` 0.12 to 0.13, `ssh-key` to 0.7.0-rc.10, and `ssh-encoding` to 0.3.0-rc.9. These cannot be bumped standalone because russh's source targets the old `cipher` 0.4 / `digest` 0.10 API; upstream moved the whole cohort together in 0.61. The high-frequency PTY `Handle::data()` drain fix is re-ported onto the new `server/session.rs` (confirmed still absent upstream in 0.61.1, so the fork remains necessary), three patches now merged upstream are removed (`channel-write-ordering`, `agent-frame-length-cap`, `sha1-mac-exclude`) leaving only `handle-data-fix.patch`, and a PTY regression test is added at `crates/bssh-russh/tests/pty_handle_data.rs`. `bssh-russh-sftp` does a full source sync from upstream 2.1.2 to **2.3.0** with the two pipelined File I/O helpers (`write_all_pipelined` / `read_to_writer_pipelined`) re-applied on top; the bssh SFTP server is adapted to the 2.3.0 `server::Handler::Error` change (now `Into<StatusReply>`, which also surfaces the human-readable error message in `SSH_FXP_STATUS`). In the main crate, `ssh-key` is unified to `=0.7.0-rc.10` so the workspace resolves a single `ssh-key` version instead of 0.6 and 0.7-rc side by side, `argon2` gains its `std` feature (restoring `rand_core`'s `OsRng` after the generation shift), and transitive deps are refreshed via `cargo update`. Both fork crates are published to crates.io at `bssh-russh` 0.61.1 and `bssh-russh-sftp` 2.3.0.

Cargo.toml

@@ -16,6 +16,9 @@ readme = "README.md"
 keywords = ["cli", "rust"]
 categories = ["command-line-utilities"]
 edition = "2024"
+# 1.88 is required by `time` 0.3.47 (the RUSTSEC-2026-0009 fix). Keeping this
+# declared keeps the MSRV-aware resolver from reverting `time` to 0.3.45.
+rust-version = "1.88"
 
 [dependencies]
 bytes = "1.11.1"

README.md

@@ -12,7 +12,7 @@ A high-performance SSH client with **SSH-compatible syntax** for both single-hos
 
 ## Recent Updates
 
-- **v2.2.3 (2026/05/25):** Sync both internal russh forks to upstream stable (bssh-russh to russh 0.61.1, bssh-russh-sftp to russh-sftp 2.3.0), advancing the bundled RustCrypto chain (sha2/sha1 0.11, hmac 0.13, aes 0.9, digest 0.11, pbkdf2 0.13) and collapsing ssh-key onto a single 0.7.0-rc.10; re-port the high-frequency PTY `Handle::data` drain fix onto the new server session loop, add a dedicated regression test for it, and retire three patches now merged upstream (#207). Patch RUSTSEC-2026-0009 (time stack-exhaustion DoS) by pinning `time` to 0.3.47 (#208).
+- **v2.2.3 (2026/05/25):** Sync both internal russh forks to upstream stable (bssh-russh to russh 0.61.1, bssh-russh-sftp to russh-sftp 2.3.0), advancing the bundled RustCrypto chain (sha2/sha1 0.11, hmac 0.13, aes 0.9, digest 0.11, pbkdf2 0.13) and collapsing ssh-key onto a single 0.7.0-rc.10; re-port the high-frequency PTY `Handle::data` drain fix onto the new server session loop, add a dedicated regression test for it, and retire three patches now merged upstream (#207). Patch RUSTSEC-2026-0009 (time stack-exhaustion DoS) by bumping `time` to 0.3.47, which raises the minimum supported Rust to 1.88 (#208).
 - **v2.2.2 (2026/05/25):** Keep idle SSH sessions alive (#206): lower the default `--server-alive-interval` from 60s to 30s so keepalive traffic beats common one-minute idle reapers, normalize `--server-alive-interval 0` to fully disabled keepalive instead of a zero-duration timer, and leave the client-side `inactivity_timeout` disabled so healthy interactive sessions (tmux, idle shells, long-running REPLs) are never closed by bssh itself. Dead-peer detection now resolves in about 120s instead of 180s.
 - **v2.2.1 (2026/05/19):** Workspace dependency upgrade pass and a controlled sync of both internal russh forks to upstream stable, picking up the SSH-agent half of CVE-2026-46673 (256 KiB frame-length cap forward-port from upstream russh `a2d48a7`) and the cryptovec hardening half via `russh-cryptovec` 0.60.3. Bumps `lru` 0.17 to 0.18, `signal-hook` 0.3 to 0.4, the `opentelemetry` family 0.31 to 0.32, and `nix` 0.31.3; syncs `bssh-russh` to upstream russh 0.60.3 and `bssh-russh-sftp` to upstream russh-sftp 2.1.2 with the two pipelined File I/O helpers re-ported on top of the new `Features` API (#203). Adds the missing `[dev-dependencies]` block to `bssh-russh` so its 75 inline tests (agent round-trip, PKCS#8 decoding, channel lifecycle, GEX, compress) compile and run for the first time since the fork's inception (#204). Drops a redundant `.into_iter()` in the synced SFTP session code that rustc 1.95's stricter `clippy::useless_conversion` lint flags (#205).
 - **v2.2.0 (2026/05/18):** Collect `--password` once up-front and share the secret across all parallel SSH tasks via `Arc<Password>`, fixing per-node stdin races and progress-UI interleaving; add `BSSH_PASSWORD` env support; warn (on stderr) when `-S`/`--sudo-password` is passed to subcommands where it has no effect (`ping`, `upload`, `download`, `list`, `cache-stats`) (#200, #201). Resolve all cargo-audit findings by replacing `atty` with `std::io::IsTerminal` and acknowledging the unfixable rsa Marvin Attack advisory in `.cargo/audit.toml` (#198). Drop five stale or redundant direct dependencies (`arrayvec`, `ctrlc`, `directories`, `signal-hook 0.4`, plus the macOS objc2/block2/dispatch2 chain) by migrating to `std::sync::LazyLock`/`OnceLock`, `tokio::signal::ctrl_c`, and `dirs` (#199).

crates/bssh-russh/Cargo.toml

@@ -10,7 +10,7 @@ keywords = ["ssh"]
 license = "Apache-2.0"
 readme = "README.md"
 repository = "https://github.com/lablup/bssh"
-rust-version = "1.85"
+rust-version = "1.88"
 
 # Internal lib name matches upstream (`russh`) so vendored source and the
 # regression test in tests/ reference it as `russh::...`; the crate is still

debian/changelog

@@ -12,8 +12,8 @@ bssh (2.2.3-1~jammy1) jammy; urgency=medium
   ### Security
   - Patch RUSTSEC-2026-0009 (#208), a stack-exhaustion denial of
     service in time 0.3.45 pulled transitively via ratatui. Bump time
-    to 0.3.47 (lockfile only); cargo audit now reports zero
-    vulnerabilities.
+    to 0.3.47 and raise the minimum supported Rust to 1.88, which time
+    0.3.47 requires; cargo audit now reports zero vulnerabilities.
 
  -- Jeongkyu Shin <inureyes@gmail.com>  Mon, 25 May 2026 12:00:00 +0900