Security vulnerability CVE-2020-26301 in ssh2 via dependency tunnel-ssh
GlieseRay opened this issue · 2 comments
GlieseRay commented
I'm submitting a...
- Bug report
- Feature request
- Question
Current behavior
The ssh2 version is fixed in tunnel-ssh which is one of the dependency of db-migrate. That version of ssh2 (0.5.4) has a security vulnerability reported in https://nvd.nist.gov/vuln/detail/CVE-2020-26301 and also in tunnel-ssh agebrock/tunnel-ssh#88.
It seems tunnel-ssh has not been active for a long time, so just wondering is there is a plan to replace tunnel-ssh or something else. Thanks
└─┬ db-migrate@0.11.12
└─┬ tunnel-ssh@4.1.4
└── ssh2@0.5.4
Expected behavior
Minimal reproduction of the problem with instructions
What is the motivation / use case for changing the behavior?
Environment
db-migrate version: X.Y.Z
plugins with versions: X.Y.Z
db-migrate driver with versions:
Additional information:
- Node version: XX
- Platform:
Others:
GlieseRay commented
Good news, tunnel-ssh has just updated the dependencies ssh2 to 1.4.0, can we also have an update here ? Thanks!
GlieseRay commented
"tunnel-ssh": "^4.0.0" will bring the latest tunnel-ssh in and could fix this issue. So close this one.