Opened 3 years ago
Closed 3 years ago
#16241 closed enhancement (fixed)
node.js-16.14.2
| Reported by: | Bruce Dubbs | Owned by: | |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.2 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point version.
Change History (8)
comment:1 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 3 years ago
| Priority: | normal → elevated |
|---|
comment:3 by , 3 years ago
| Summary: | node.js-16.14.1 → node.js-16.14.2 |
|---|
Now version 16.14.2
2022-03-17, Version 16.14.2 'Gallium' (LTS)
This is a security release.
### Notable Changes
Update to OpenSSL 1.1.1n, which addresses the following vulnerability:
- Infinite loop in
BN_mod_sqrt()reachable when parsing certificates (High)(CVE-2022-0778) More details are available at <https://www.openssl.org/news/secadv/20220315.txt>
### Commits
- deps: update archs files for OpenSSL-1.1.1
- deps: upgrade openssl sources to OpenSSL \_1\_1\_1n
- test: fix tests affected by OpenSSL update
comment:4 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
I am not sure about the openssl issue since we pass -shared-openssl to configure.
Fixed at commit 01ff770df32bff9e1d59c4a6a78ce43c8da8d1d9
follow-up: 7 comment:5 by , 3 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
I had a look at the diff, I agree it is unclear (the headers used are the local 1.1.1n in the node source, I'm not sure if that is vanilla openssl or with modifications, but it links to system 3.0.2 (or earlier if openssl has not been updated). I'm doing advisories, rather than miss this I'll create an advisory.
comment:6 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | reopened → new |
comment:7 by , 3 years ago
Replying to ken@…:
I had a look at the diff, I agree it is unclear (the headers used are the local 1.1.1n in the node source, I'm not sure if that is vanilla openssl or with modifications, but it links to system 3.0.2 (or earlier if openssl has not been updated). I'm doing advisories, rather than miss this I'll create an advisory.
In the end, I diffed against upstream 1.1.1n - differences in e.g. configuration options (added quic as an option), various other small changes (as well as omitting the demos and doc from upstream). It seems the 'quic' support is enabled in node https://developpaper.com/quic-support-for-node-js/ therefore I recommend peopel to upgrade.
According to https://nodejs.org/en/blog/vulnerability/mar-2022-security-releases/ this incorporates upstream patches from openssl, and they state that node is vulnerable to one High severity issue, but they don't say which one.
Looking at the build log, they include deps/openssl/include from the node source even when linking to (system) libssl.