|
| 1 | +--- |
| 2 | +date: 2017-10-30T23:30:01.316Z |
| 3 | +category: vulnerability |
| 4 | +title: OpenSSL update, 1.0.2m |
| 5 | +slug: openssl-november-2017 |
| 6 | +layout: blog-post.hbs |
| 7 | +author: Rod Vagg |
| 8 | +--- |
| 9 | + |
| 10 | +The OpenSSL project has [announced](https://mta.openssl.org/pipermail/openssl-announce/2017-October/000103.html) _(also see their [correction](https://mta.openssl.org/pipermail/openssl-announce/2017-October/000104.html))_ that that they will be releasing versions 1.1.0g and 1.0.2m this week, on **Thursday the 2nd of November 2017, UTC**. The releases will fix one _"low severity security issue"_ and one _"moderate level security issue"_. "Moderate" level security issues for OpenSSL: |
| 11 | + |
| 12 | +> ... includes issues like crashes in client applications, flaws in protocols that are less commonly used (such as DTLS), and local flaws. |
| 13 | +
|
| 14 | +Note that Node.js currently does not support or bundle OpenSSL 1.1.0, so we will focus entirely on 1.0.2m in this release. |
| 15 | + |
| 16 | +Information about the "low" severity security issue is already [public](https://www.openssl.org/news/secadv/20170828.txt): |
| 17 | + |
| 18 | +> **Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)** |
| 19 | +> |
| 20 | +> If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL could do a one-byte buffer overread. The most likely result would be an erroneous display of the certificate in text format. |
| 21 | +> |
| 22 | +> As this is a low severity fix, no release is being made. The fix can be found in the source repository (1.0.2, 1.1.0, and master branches); see https://github.com/openssl/openssl/pull/4276. This bug has been present since 2006. |
| 23 | +
|
| 24 | +At this stage, due to embargo, it is uncertain what the nature of the "moderate" severity fix is, nor what impact it will have on Node.js users, if any. We will proceed as follows: |
| 25 | + |
| 26 | +Within approximately 24 hours of the OpenSSL 1.0.2m release, our crypto team will make an impact assessment for Node.js users. This information _may_ vary depending for the different active release lines and will be posted here. |
| 27 | + |
| 28 | +As part of that impact assessment we will announce our release plans for each of the active release lines to take into account any impact. **Please be prepared for the possibility of important updates to Node.js 4 "Argon", Node.js 6 "Boron", Node.js 8 "Carbon" and Node.js 9 (Current) as soon as Friday, the 3rd of November, 2017**. |
| 29 | + |
| 30 | +If our assessment concludes that the OpenSSL "moderate" security issue has very low impact for Node.js users, the Node.js release team may decide to bundle this OpenSSL upgrade with the regular, planned Node.js releases for both LTS and Current release lines and not proceed with special security releases. |
| 31 | + |
| 32 | +Please monitor the **nodejs-sec** Google Group for updates, including an impact assessment and updated details on release timing within approximately 24 hours after the OpenSSL release: https://groups.google.com/forum/#!forum/nodejs-sec |
| 33 | + |
| 34 | +## Contact and future updates |
| 35 | + |
| 36 | +The current Node.js security policy can be found at <https://nodejs.org/en/security/>. |
| 37 | + |
| 38 | +Please contact security@nodejs.org if you wish to report a vulnerability in Node.js. |
| 39 | + |
| 40 | +Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the [nodejs GitHub organisation](https://github.com/nodejs/). |
0 commit comments