You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SIMD implementation for LoongArch (#592, requires nightly)
Changed
Optimized insertion path by avoiding an unnecessary match_empty (#607)
Increased minimum table size for small types (#615)
Dropped FnMut trait bounds from ExtractIf data structures (#616)
Relaxed constraint in hash_map::EntryRef insertion methods K: From<&Q> to &Q: Into<K> (#611)
Added allocator template argument for rustc_iter (#605)
The allocator-api2/nightly feature is no longer enabled by hashbrown/nightly (#606)
[v0.15.2] - 2024-11-14
Added
Marked const fn constructors as rustc_const_stable_indirect when built as
part of the standard library. (#586)
[v0.15.1] - 2024-11-03
This release removes the borsh feature introduced in 0.15.0 because it was
found to be incorrectly implemented. Users should use the hashbrown feature of
the borsh crate instead which provides the same trait implementations.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
Affected range
<0.52.0
Fixed version
0.52.0
EPSS Score
0.030%
EPSS Percentile
9th percentile
Description
Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.
Affected range
<0.52.0
Fixed version
0.52.0
EPSS Score
0.042%
EPSS Percentile
13th percentile
Description
When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.
Affected range
<0.52.0
Fixed version
0.52.0
EPSS Score
0.033%
EPSS Percentile
10th percentile
Description
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.
Affected range
<0.52.0
Fixed version
0.52.0
EPSS Score
0.030%
EPSS Percentile
9th percentile
Description
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.
Affected range
<0.52.0
Fixed version
0.52.0
EPSS Score
0.022%
EPSS Percentile
7th percentile
Description
The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.
Affected range
<0.52.0
Fixed version
0.52.0
EPSS Score
0.042%
EPSS Percentile
13th percentile
Description
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
Affected range
<0.52.0
Fixed version
0.52.0
EPSS Score
0.042%
EPSS Percentile
13th percentile
Description
An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.
Affected range
<0.52.0
Fixed version
0.52.0
EPSS Score
0.074%
EPSS Percentile
22nd percentile
Description
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
golang.org/x/net0.53.0 (golang)
pkg:golang/golang.org/x/net@0.53.0
Affected range
<0.55.0
Fixed version
0.55.0
EPSS Score
0.045%
EPSS Percentile
14th percentile
Description
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.
This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency filerustPull requests that update rust code
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
Bot
added
dependencies
Bumps hashbrown from 0.15.0 to 0.15.5.
Release notes
Sourced from hashbrown's releases.
Changelog
Sourced from hashbrown's changelog.
Commits
b751eefUpdate CHANGELOG.mdda4c80echore: release v0.15.54358483Merge pull request #631 from DaniPopes/readd-likely64bd7dbRe-implement likely/unlikely with#[cold]670213fMerge pull request #601 from braddunbar/or-default-entry99761e4fix clippy issuese44ee2dMerge branch 'master' of https://github.com/rust-lang/hashbrown into or-defau...e514afeMerge pull request #624 from rust-lang/release-plz-2025-05-28T15-42-25Z8ceeb40Update CHANGELOG.mdb9be680chore: release v0.15.4Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.