Resolves CVE-2023-48795 vulnerability upgrading ssh2 to 1.15

[avilches]

• Fixes Update tunnel-ssh dependency for vulnerability CVE-2023-48795 #830

Vulnerability: CVE-2023-48795

The vulnerability is solved upgrading ssh to 1.15. This is a transitive dependency from tunnel-ssh. Upgrade tunnel-ssh to version 5 already upgrades the ssh to 1.15

[wzrdtales]

have you tested and confirmed that this is not breaking any functionality?
please list the breaking changes since your suggested version patch is major version.

[mriedem]

please list the breaking changes since your suggested version patch is major version.

Unfortunately it doesn't look like tunnel-ssh has detailed release notes or a changelog. The 5.0.0 release commit has this single entry in the README: https://github.com/agebrock/tunnel-ssh/blob/ee4086d6147f8c216570a2a3b1614e16882d7104/README.md#breaking-change-in-500

Please note that release 5.0.0 uses a complete different approch for configuration and is not compatible to prio versions.

That doesn't help much. Maybe the rest of the README helps in identifying what's changed in tunnel-ssh 5.x and how it's used in this repo (db-migrate). Not being a maintainer of this repo I can't say how it's being used. I mean, I can see this code:

node-db-migrate/lib/driver/index.js

Lines 115 to 159 in 6acaf40

	if (config.tunnel) {
	var tunnel = require('tunnel-ssh');
	var tunnelConfig = JSON.parse(JSON.stringify(config.tunnel));
	const { tunnelType } = tunnelConfig;
	if (plugins) {
	plugin = plugins.overwrite(
	`connection:tunnel:${
	tunnelType && tunnelType !== 'ssh' ? tunnelType : 'ssh'
	}`
	);
	}
	tunnelConfig.dstHost = config.host;
	tunnelConfig.dstPort = config.port;
	if (plugin) {
	tunnel =
	plugin[
	`connection:tunnel:${
	tunnelType && tunnelType !== 'ssh' ? tunnelType : 'ssh'
	}`
	](tunnelConfig);
	}
	if (tunnelConfig.privateKeyPath) {
	tunnelConfig.privateKey = require('fs').readFileSync(
	tunnelConfig.privateKeyPath
	);
	}
	// Reassign the db host/port to point to our local ssh tunnel
	config.host = '127.0.0.1';
	config.port = tunnelConfig.localPort;
	tunnel(tunnelConfig, function (err) {
	if (err) {
	callback(err);
	return;
	}
	log.verbose('SSH tunnel connected on port ', tunnelConfig.localPort);
	connect(config);
	});
	} else {

Which makes it look like tunnel-ssh is an optional dependency for this project, is that correct?

I don't see anything about that tunnel config in the db-migrate docs, so is it safe to assume that if you're using db-migrate but not using the tunnel config then tunnel-ssh and thus ssh2 and the vulnerability do not apply? @wzrdtales

[wzrdtales]

yes that is correct, it wont have an impact at all without the tunnel config. I have considered already moving the tunnel out completely into a plugin