OpenSSL update, 1.0.2m
The OpenSSL project has
announced (also see their
correction) that that they will be releasing versions 1.1.0g and 1.0.2m this week, on
Thursday the 2nd of November 2017, UTC. The releases will fix one
"low severity security issue" and one
"moderate level security issue". "Moderate" level security issues for OpenSSL:
... includes issues like crashes in client applications, flaws in protocols that are less commonly used (such as DTLS), and local flaws.
Note that Node.js currently does not support or bundle OpenSSL 1.1.0, so we will focus entirely on 1.0.2m in this release.
Information about the "low" severity security issue is already
public:
Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL could do a one-byte buffer overread. The most likely result would be an erroneous display of the certificate in text format.
As this is a low severity fix, no release is being made. The fix can be found in the source repository (1.0.2, 1.1.0, and master branches); see
https://github.com/openssl/openssl/pull/4276. This bug has been present since 2006.
At this stage, due to embargo, it is uncertain what the nature of the "moderate" severity fix is, nor what impact it will have on Node.js users, if any. We will proceed as follows:
Within approximately 24 hours of the OpenSSL 1.0.2m release, our crypto team will make an impact assessment for Node.js users. This information may vary depending for the different active release lines and will be posted here.
As part of that impact assessment we will announce our release plans for each of the active release lines to take into account any impact. Please be prepared for the possibility of important updates to Node.js 4 "Argon", Node.js 6 "Boron", Node.js 8 "Carbon" and Node.js 9 (Current) as soon as Friday, the 3rd of November, 2017.
If our assessment concludes that the OpenSSL "moderate" security issue has very low impact for Node.js users, the Node.js release team may decide to bundle this OpenSSL upgrade with the regular, planned Node.js releases for both LTS and Current release lines and not proceed with special security releases.
Contact and future updates