|
| 1 | +--- |
| 2 | +date: 2020-04-17T12:00:00.000Z |
| 3 | +category: vulnerability |
| 4 | +title: OpenSSL security releases may require Node.js security releases |
| 5 | +slug: openssl-and-low-severity-fixes-april-2020 |
| 6 | +layout: blog-post.hbs |
| 7 | +author: Sam Roberts |
| 8 | +--- |
| 9 | + |
| 10 | +### Summary |
| 11 | + |
| 12 | +The Node.js project may be releasing new versions across all of its supported |
| 13 | +release lines early next week to incorporate upstream patches from OpenSSL. |
| 14 | +Please read on for full details. |
| 15 | + |
| 16 | +### OpenSSL |
| 17 | + |
| 18 | +The OpenSSL project |
| 19 | +[announced](https://mta.openssl.org/pipermail/openssl-announce/2020-April/000170.html) |
| 20 | +this week that they will be releasing version 1.1.1g on the 21st of |
| 21 | +April. The highest severity issue that will be fixed in the release |
| 22 | +is "HIGH" severity under their |
| 23 | +[security policy](https://www.openssl.org/policies/secpolicy.html), |
| 24 | +meaning they are: |
| 25 | + |
| 26 | +> ... issues that are of a lower risk than critical, perhaps due to affecting |
| 27 | +> less common configurations, or which are less likely to be exploitable. |
| 28 | +
|
| 29 | +All supported versions of Node.js use OpenSSL v1.1.1, therefore all active |
| 30 | +release lines are impacted by this update: v10.x, v12.x, v13.x, and v14.x ( |
| 31 | +14.0.0 is to be released on the 21st of April, by coincidence). |
| 32 | + |
| 33 | +At this stage, due to embargo, the exact nature of these defects is uncertain |
| 34 | +as well as the impact they will have on Node.js users. |
| 35 | + |
| 36 | +After assessing the impact on Node.js, it will be decided whether the issues |
| 37 | +fixed require immediate security releases of Node.js, or whether they can be |
| 38 | +included in the normally scheduled updates. |
| 39 | + |
| 40 | +Please monitor the **nodejs-sec** Google Group for updates, including a |
| 41 | +decision within 24 hours after the OpenSSL release regarding release timing, |
| 42 | +and full details of the defects upon eventual release: |
| 43 | +https://groups.google.com/forum/#!forum/nodejs-sec |
| 44 | + |
| 45 | +### Contact and future updates |
| 46 | + |
| 47 | +The current Node.js security policy can be found at <https://nodejs.org/en/security/>, |
| 48 | +including information on how to report a vulnerability in Node.js. |
| 49 | + |
| 50 | +Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at |
| 51 | +https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on |
| 52 | +security vulnerabilities and security-related releases of Node.js and the |
| 53 | +projects maintained in the |
| 54 | +[nodejs GitHub organisation](https://github.com/nodejs). |
0 commit comments