v0.61.1

Security fixes

GHSA-wwx6-x28x-8259

When compression is negotiated, an attacker can craft a "ZIP bomb" style packet that would bypass the maximum packet size checks. This could allow the attacker to hit the OOM limit and either get the server process killed by the OS, or, prior to russh@0.58.0, aborted. A similar issue existed in the AgentClient as well, which could be triggered by a malformed SSH agent response.

Fixes

• keys/agent: forward full agent signature blob for sk-ecdsa/sk-ed25519 keys (#701) #701 (ztbh)
• accept empty name-list in KEXINIT (RFC 4251 §5) (#710) #710 (Bernardo Meurer)