Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL releases on Nov 20th #24370

Closed
rvagg opened this issue Nov 14, 2018 · 5 comments
Closed

OpenSSL releases on Nov 20th #24370

rvagg opened this issue Nov 14, 2018 · 5 comments

Comments

@rvagg
Copy link
Member

rvagg commented Nov 14, 2018

https://mta.openssl.org/pipermail/openssl-announce/2018-November/000138.html

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1a, 1.1.0j and 1.0.2q.

These releases will be made available on 20th November 2018 between
approximately 1300-1700 UTC.

These are bug-fix releases. They also contain the fixes for three LOW
severity security issues CVE-2018-0735, CVE-2018-0734 and CVE-2018-5407 which
were previously announced here:

https://www.openssl.org/news/secadv/20181029.txt
https://www.openssl.org/news/secadv/20181030.txt
https://www.openssl.org/news/secadv/20181112.txt

CVE-2018-0735 only affects the 1.1.0 branch.
CVE-2018-0734 affects the 1.1.1, 1.1.0 and 1.0.2 branches.
CVE-2018-5407 affects the 1.0.2 branch. It also affects older 1.1.0 releases
before 1.1.0i.

These are fixes I've been floating but haven't yet made it into releases:

The impression they were giving was that they were not going to bother with releases any time soon for these flaws. But now they are doing it. I'm not sure if that's because they are reconsidering their approach or because they didn't signal it well enough (or I picked up on the wrong signal).

With these new releases, all of those commits can be ignored and we'll get full increments of all OpenSSL. We haven't released any of these cherry-picks yet and now we won't need to.

/cc @nodejs/crypto @nodejs/security

@sam-github
Copy link
Contributor

@rvagg I've never done an openssl letter upgrade, but I'd like to. Shall I take a shot at the 10.x/11.x update from openssl 1.1.0i to 1.1.0j? I could start tomorrow.

@rvagg
Copy link
Member Author

rvagg commented Nov 14, 2018

@sam-github you'll have to wait till the 20th to get full releases. You're welcome to practice though! It's all documented in deps/openssl/README.md and deps/openssl/config/README.md

@sam-github
Copy link
Contributor

This was referenced Nov 20, 2018
@rvagg
Copy link
Member Author

rvagg commented Nov 22, 2018

FYI: Landing in #24523 & #24530 thanks to Sam. Going out next week as per https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

@rvagg rvagg closed this as completed Nov 22, 2018
@AdamMajer
Copy link
Contributor

There seems to be typos in the release blogs w.r.t. CVE numbers.

https://nodejs.org/en/blog/release/v11.3.0/

needs to change CVE-2019-0735 -> CVE-2018-0735

Also changelogs are effected,
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V11.md#11.3.0

The git changelog messages seem correct

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants