|
| 1 | +--- |
| 2 | +date: 2022-10-28T19:00:01.316Z |
| 3 | +category: vulnerability |
| 4 | +title: OpenSSL november security release |
| 5 | +slug: openssl-november-2022 |
| 6 | +layout: blog-post.hbs |
| 7 | +author: Rafael Gonzaga |
| 8 | +--- |
| 9 | + |
| 10 | +### Summary |
| 11 | + |
| 12 | +The Node.js project may be releasing new versions across all of its supported |
| 13 | +release lines in the first week of November to incorporate upstream patches |
| 14 | +from OpenSSL. Please read on for full details. |
| 15 | + |
| 16 | +### OpenSSL |
| 17 | + |
| 18 | +The OpenSSL project |
| 19 | +[announced](https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html) |
| 20 | +will release OpenSSL 3.0.7 on the 1th of |
| 21 | +November 2022 between 1300-1700 UTC. The release will fix security defects on which |
| 22 | +the _highest_ severity issue is CRITICAL. |
| 23 | + |
| 24 | +[security policy](https://www.openssl.org/policies/secpolicy.html). |
| 25 | + |
| 26 | +Node.js v16.x, v18.x and v19.x use OpenSSL v3. |
| 27 | +Therefore all active LTS release lines are impacted by this update. |
| 28 | + |
| 29 | +At this stage, due to embargo, the exact nature of these defects is uncertain |
| 30 | +as well as the impact they will have on Node.js users. |
| 31 | + |
| 32 | +After assessing the impact on Node.js, it will be decided whether the issues |
| 33 | +fixed require immediate security releases of Node.js, or whether they can be |
| 34 | +included in the normally scheduled updates. |
| 35 | + |
| 36 | +Please monitor the **nodejs-sec** Google Group for updates, including a |
| 37 | +decision within 24 hours after the OpenSSL release regarding release timing, |
| 38 | +and full details of the defects upon eventual release: |
| 39 | +https://groups.google.com/forum/#!forum/nodejs-sec |
| 40 | + |
| 41 | +### Contact and future updates |
| 42 | + |
| 43 | +The current Node.js security policy can be found at |
| 44 | +<https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security>, |
| 45 | +including information on how to report a vulnerability in Node.js. |
| 46 | + |
| 47 | +Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at |
| 48 | +https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on |
| 49 | +security vulnerabilities and security-related releases of Node.js and the |
| 50 | +projects maintained in the |
| 51 | +[nodejs GitHub organization](https://github.com/nodejs). |
0 commit comments