Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nodejs: Minor updates #31494

Closed
wants to merge 3 commits into from
Closed

Nodejs: Minor updates #31494

wants to merge 3 commits into from

Conversation

adisbladis
Copy link
Member

@adisbladis adisbladis commented Nov 10, 2017
edited
Loading

Motivation for this change

Fix for CVE-2017-3736.

From upstream PR nodejs/node#16691
This upgrades to OpenSSL-1.0.2m . It includes the fix of the moderate severity of CVE-2017-3736 that affects Node in RSA calculations of TLS and crypto modules but the attack is said to be very difficult.

Edit: As @vcunat points out we are already using the system OpenSSL so it does not have any security impact. This is just a normal update.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@adisbladis adisbladis changed the title Nodejs cve 2017 3736 Nodejs: Fixes for CVE-2017-3736 Nov 10, 2017
@c0bw3b c0bw3b added 1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: package (update) This PR updates a package to a newer version labels Nov 10, 2017
@c0bw3b
Copy link
Contributor

c0bw3b commented Nov 10, 2017

@adisbladis in your opinion, does this needs backporting to 17.09 ?

@vcunat
Copy link
Member

vcunat commented Nov 10, 2017

Our expressions look like we use system openssl instead of the builtin one, meaning this update probably wouldn't have security impact.

@adisbladis adisbladis changed the title Nodejs: Fixes for CVE-2017-3736 Nodejs: Minor updates Nov 10, 2017
@adisbladis
Copy link
Member Author

@vcunat You are right. No security implications here.

@c0bw3b I think the 8.x one at least should be backported as this release contained a fix for a regression.

@disassembler disassembler removed the 1.severity: security Issues which raise a security issue, or PRs that fix one label Nov 10, 2017
@adisbladis
Copy link
Member Author

ccing maintainers @cillianderoiste @Havvy @gilligan @cko

@adisbladis
Copy link
Member Author

adisbladis commented Nov 15, 2017
edited
Loading

There is a new release of nodejs-9_x (9.2.0).
I have updated and rebased this PR (does not currently build).

9.2.0 build fixed by updating libuv.

@adisbladis
Copy link
Member Author

adisbladis commented Nov 15, 2017
edited
Loading

Because of the mass-rebuild caused by the libuv upgrade I have decided to split this into separate PRs:
#31710
#31711

@adisbladis adisbladis closed this Nov 15, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
8.has: package (update) This PR updates a package to a newer version 10.rebuild-darwin: 1-10 10.rebuild-darwin: 501+ 10.rebuild-linux: 1-10 10.rebuild-linux: 501+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@adisbladis @c0bw3b @vcunat @disassembler @GrahamcOfBorg