|
| 1 | +--- |
| 2 | +date: 2022-03-14T12:00:00.000Z |
| 3 | +category: vulnerability |
| 4 | +title: OpenSSL security releases may require Node.js security releases |
| 5 | +slug: openssl-and-high-severity-fixes-mar-2022 |
| 6 | +layout: blog-post.hbs |
| 7 | +author: Joe Sepi |
| 8 | +--- |
| 9 | + |
| 10 | +### Summary |
| 11 | + |
| 12 | +The Node.js project may be releasing new versions across all of its supported |
| 13 | +release lines late next week to incorporate upstream patches from OpenSSL. |
| 14 | +Please read on for full details. |
| 15 | + |
| 16 | +### OpenSSL |
| 17 | + |
| 18 | +The OpenSSL project |
| 19 | +[announced](https://mta.openssl.org/pipermail/openssl-announce/2022-March/000216.html) |
| 20 | +this week that they will be releasing versions 3.0.2 and 1.1.1n on the 15th of |
| 21 | +March 2022 between 1300-1700 UTC. The releases will fix two security defects that are |
| 22 | +labelled as "HIGH" severity under their |
| 23 | +[security policy](https://www.openssl.org/policies/secpolicy.html). |
| 24 | + |
| 25 | +Node.js v12.x, v14.x and v16.x use OpenSSL v1.1.1 and Node.js v17.x uses OpenSSL |
| 26 | +v3. Therefore all active release lines are impacted by this update. |
| 27 | + |
| 28 | +At this stage, due to embargo, the exact nature of these defects is uncertain |
| 29 | +as well as the impact they will have on Node.js users. |
| 30 | + |
| 31 | +After assessing the impact on Node.js, it will be decided whether the issues |
| 32 | +fixed require immediate security releases of Node.js, or whether they can be |
| 33 | +included in the normally scheduled updates. |
| 34 | + |
| 35 | +Please monitor the **nodejs-sec** Google Group for updates, including a |
| 36 | +decision within 24 hours after the OpenSSL release regarding release timing, |
| 37 | +and full details of the defects upon eventual release: |
| 38 | +https://groups.google.com/forum/#!forum/nodejs-sec |
| 39 | + |
| 40 | +### Contact and future updates |
| 41 | + |
| 42 | +The current Node.js security policy can be found at |
| 43 | +<https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security>, |
| 44 | +including information on how to report a vulnerability in Node.js. |
| 45 | + |
| 46 | +Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at |
| 47 | +https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on |
| 48 | +security vulnerabilities and security-related releases of Node.js and the |
| 49 | +projects maintained in the |
| 50 | +[nodejs GitHub organization](https://github.com/nodejs). |
0 commit comments