Update `tunnel-ssh` dependency for vulnerability CVE-2023-48795 #830

coruscating · 2024-01-02T22:29:02Z

I'm submitting a...

Bug report
Feature request
Question

Current behavior

The vulnerability CVE-2023-48795 requires ssh2 1.15 and above to fix: mscdex/ssh2#1354

The tunnel-ssh 4.x series, which is a dependency of db-migrate, only supports ssh2 up to 1.4.0: #755. This CVE can be resolved for db-migrate if the tunnel-ssh dependency is upgraded to 5.x (or if tunnel-ssh updates its 4.x dependencies, but it's been a year since 5.x was released).

Expected behavior

The security vulnerability should be addressed.

The text was updated successfully, but these errors were encountered:

MarkR87 · 2024-02-20T07:57:24Z

Any update on this?

mriedem · 2024-03-20T14:10:42Z

For anyone else looking at this, we're not using the tunnel config with db-migrate so we're just overriding the transitive dependency in our package.json:

"overrides": {
    "db-migrate": {
      "tunnel-ssh": "^5.1.2"
    }
  }

avilches linked a pull request Feb 28, 2024 that will close this issue

Resolves CVE-2023-48795 vulnerability upgrading ssh2 to 1.15 #831

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update `tunnel-ssh` dependency for vulnerability CVE-2023-48795 #830

Update `tunnel-ssh` dependency for vulnerability CVE-2023-48795 #830

coruscating commented Jan 2, 2024

MarkR87 commented Feb 20, 2024

mriedem commented Mar 20, 2024

Update tunnel-ssh dependency for vulnerability CVE-2023-48795 #830

Update tunnel-ssh dependency for vulnerability CVE-2023-48795 #830

Comments

coruscating commented Jan 2, 2024

I'm submitting a...

Current behavior

Expected behavior

MarkR87 commented Feb 20, 2024

mriedem commented Mar 20, 2024

Update `tunnel-ssh` dependency for vulnerability CVE-2023-48795 #830

Update `tunnel-ssh` dependency for vulnerability CVE-2023-48795 #830