doc: openssl may 22 security release (nodejs#4589)

RafaelGSS · web-flow · commit ef9d666da554 · 2022-05-05T12:24:28.000-04:00
* doc: openssl may 2022 security release
diff --git a/locale/en/blog/vulnerability/openssl-fixes-in-regular-releases-may2022.md b/locale/en/blog/vulnerability/openssl-fixes-in-regular-releases-may2022.md
@@ -0,0 +1,47 @@
+---
+date: 2022-05-05T17:00:15.000Z
+category: vulnerability
+title: OpenSSL update assessment, and Node.js project plans
+slug: openssl-fixes-in-regular-releases-may2022
+layout: blog-post.hbs
+author: Rafael Gonzaga
+---
+
+## Summary
+
+The OpenSSL Security releases of May 3 2022 affects Node.js 17.x and 18.x but highest serverity is "Low"
+
+## Analysis
+
+Our assessment of the [security advisory](https://mta.openssl.org/pipermail/openssl-announce/2022-May/000224.html) is:
+
+### The `c_rehash` script allows command injection (CVE-2022-1292)
+
+Node.js doesn't use or ship the `c_rehash` script. Therefore, Node.js is not affected
+
+### `OCSP_basic_verify` may incorrectly verify the response signing certificate (CVE-2022-1343)
+
+The Node.js doesn't call `OCSP_basic_verify` with the custom flag `OCSP_NOCHECKS`. Node.js
+is not affected.
+
+### Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434)
+
+Node.js does not compile with `--enable-weak-ssl-ciphers`, therefore, Node.js is not affected.
+
+### Resource leakage when decoding certificates and keys (CVE-2022-1473)
+
+Node.js 17.x and 18.x are affected by this CVE which is rated "Low".
+
+Given this assessment, the OpenSSL updates for Node.js will be delievered through the regular
+Node.js release cycle with releases scheduled by the end of May.
+
+### Contact and future updates
+
+The current Node.js security policy can be found at <https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security>,
+including information on how to report a vulnerability in Node.js.
+
+Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at
+https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on
+security vulnerabilities and security-related releases of Node.js and the
+projects maintained in the
+[nodejs GitHub organization](https://github.com/nodejs).
diff --git a/locale/en/site.json b/locale/en/site.json
@@ -159,10 +159,10 @@
   },
   "banners": {
     "index": {
-      "startDate": "2022-04-19T15:45:00.000Z",
-      "endDate": "2022-04-26T16:00:00.000Z",
-      "text": "Node.js 18 is now available!",
-      "link": "https://nodejs.org/en/blog/announcements/v18-release-announce"
+      "startDate": "2022-05-05T17:00:00.000Z",
+      "endDate": "2022-05-19T16:00:00.000Z",
+      "text": "Node.js assessment of OpenSSL 3 May 2022 security releases",
+      "link": "https://nodejs.org/en/blog/vulnerability/openssl-fixes-in-regular-releases-may2022"
     },
     "blacklivesmatter": {
       "visible": false,
