Upgrade to OpenSSL to avoid CVE-2024-6387

[AguacateVelarde]

We use ssh2-sftp-client, a JavaScript implementation of SSH2 in Node.js, and we've read about the vulnerability with OpenSSH.

In our research, we found a breach in the ssh2 library because it uses OpenSSH v3.x. The Qualys report advises using > v4.4 to avoid this error. Internally, we're working to add observability and try to fix this binding, but if someone has fixed it before, we would appreciate your knowledge.

Qualys Report

[mscdex]

This makes no sense on multiple levels:

• The CVE has nothing to do with OpenSSL
• This module does not include OpenSSH in any form
• OpenSSH v3.x? The last OpenSSH v3.x was v3.9, released in 2004. This isn't even available on any machines in CI.

[lmynsberge]

@mscdex Sorry to reignite this thread and your replies all make sense.

One thing I wanted to make sure of though -- from my reading, this package builds its entire own SSH server and client on top of NodeJS built-ins (including OpenSSL, which, as you say, is definitely NOT OpenSSH), but does not leverage the OS's SSH implementations (if one is available) at all, is that correct? It essentially builds its own SSH software instead of the OS.

That's my read, but admittedly I've only spent a couple of hours reviewing the code in this package and might miss something.

[mscdex]

@lmynsberge You don't need to review the code, the project description says it all:

SSH2 client and server modules written in pure JavaScript for node.js

[lmynsberge]

Haha, that would do it too. Thanks a lot! Appreciate this package a lot, nice work.