Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolves CVE-2023-48795 vulnerability upgrading ssh2 to 1.15 #831

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Resolves CVE-2023-48795 vulnerability upgrading ssh2 to 1.15 #831

wants to merge 1 commit into from

Conversation

avilches
Copy link

Vulnerability: CVE-2023-48795

The vulnerability is solved upgrading ssh to 1.15. This is a transitive dependency from tunnel-ssh. Upgrade tunnel-ssh to version 5 already upgrades the ssh to 1.15

@avilches
Resolves CVE-2023-48795 vulnerability. Upgrade "tunnel-ssh" from "^4.…
88f151d 
…0.0" to "^5.1.2", so the "ssh2" version is 1.15
@wzrdtales
Copy link
Member

have you tested and confirmed that this is not breaking any functionality?
please list the breaking changes since your suggested version patch is major version.

@mriedem
Copy link
Contributor

mriedem commented Mar 19, 2024

please list the breaking changes since your suggested version patch is major version.

Unfortunately it doesn't look like tunnel-ssh has detailed release notes or a changelog. The 5.0.0 release commit has this single entry in the README: https://github.com/agebrock/tunnel-ssh/blob/ee4086d6147f8c216570a2a3b1614e16882d7104/README.md#breaking-change-in-500

Please note that release 5.0.0 uses a complete different approch for configuration and is not compatible to prio versions.

That doesn't help much. Maybe the rest of the README helps in identifying what's changed in tunnel-ssh 5.x and how it's used in this repo (db-migrate). Not being a maintainer of this repo I can't say how it's being used. I mean, I can see this code:

node-db-migrate/lib/driver/index.js

Lines 115 to 159 in 6acaf40

if (config.tunnel) {
var tunnel = require('tunnel-ssh');
var tunnelConfig = JSON.parse(JSON.stringify(config.tunnel));
const { tunnelType } = tunnelConfig;
if (plugins) {
plugin = plugins.overwrite(
`connection:tunnel:${
tunnelType && tunnelType !== 'ssh' ? tunnelType : 'ssh'
}`
);
}
tunnelConfig.dstHost = config.host;
tunnelConfig.dstPort = config.port;
if (plugin) {
tunnel =
plugin[
`connection:tunnel:${
tunnelType && tunnelType !== 'ssh' ? tunnelType : 'ssh'
}`
](tunnelConfig);
}
if (tunnelConfig.privateKeyPath) {
tunnelConfig.privateKey = require('fs').readFileSync(
tunnelConfig.privateKeyPath
);
}
// Reassign the db host/port to point to our local ssh tunnel
config.host = '127.0.0.1';
config.port = tunnelConfig.localPort;
tunnel(tunnelConfig, function (err) {
if (err) {
callback(err);
return;
}
log.verbose('SSH tunnel connected on port ', tunnelConfig.localPort);
connect(config);
});
} else {

Which makes it look like tunnel-ssh is an optional dependency for this project, is that correct?

I don't see anything about that tunnel config in the db-migrate docs, so is it safe to assume that if you're using db-migrate but not using the tunnel config then tunnel-ssh and thus ssh2 and the vulnerability do not apply? @wzrdtales

@wzrdtales
Copy link
Member

yes that is correct, it wont have an impact at all without the tunnel config. I have considered already moving the tunnel out completely into a plugin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update tunnel-ssh dependency for vulnerability CVE-2023-48795
3 participants
@avilches @wzrdtales @mriedem