Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v14.x] deps: upgrade openssl sources to 1.1.1k #37938

Closed
wants to merge 2 commits into from
Closed

[v14.x] deps: upgrade openssl sources to 1.1.1k #37938

wants to merge 2 commits into from

Conversation

tniessen
Copy link
Member

Refs: #37913
Refs: #37916

@tniessen
deps: upgrade openssl sources to 1.1.1k
0ba0a5f 
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1k.tar.gz
    $ mv openssl-1.1.1k openssl
    $ git add --all openssl
    $ git commit openssl
@tniessen
deps: update archs files for OpenSSL-1.1.1k
b3fa6e2 
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
   $ make -C deps/openssl/config
   $ git add deps/openssl/config/archs
   $ git add deps/openssl/openssl/include/crypto/bn_conf.h
   $ git add deps/openssl/openssl/include/crypto/dso_conf.h
   $ git add deps/openssl/openssl/include/openssl/opensslconf.h
   $ git commit
@tniessen tniessen requested a review from jasnell March 27, 2021 00:06
@nodejs-github-bot nodejs-github-bot added needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. v14.x labels Mar 27, 2021
@tniessen tniessen mentioned this pull request Mar 27, 2021
Closed
@nodejs-github-bot

This comment has been minimized.

Sign in to view
@nodejs-github-bot

This comment has been minimized.

Sign in to view
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/37018/

@targos
Copy link
Member

targos commented Mar 27, 2021
edited
Loading

There are failing tests in CI that seem related

Edit: the GitHub checks are outdated.

@tniessen
Copy link
Member Author

CI and GitHub Actions are ✔️

@carlzogh
Copy link

carlzogh commented Mar 30, 2021
edited
Loading

When can we expect this patch to land in LTS releases (10, 12, and 14)? OpenSSL 1.1.1k contains fixes for two high-severity vulnerabilities (ref. OpenSSL 1.1.1 release notes)

@tniessen
Copy link
Member Author

When can we expect this patch to land in LTS releases (10, 12, and 14)?

@carlzogh As usual, an announcement will be made on nodejs.org and on the mailing list as we progress with the preparation of the security releases.

OpenSSL 1.1.1k contains fixes for two high-severity vulnerabilities

That is correct.

  • CVE-2021-3449 is a vulnerability in the TLS server implementation of OpenSSL. I assume that most TLS-capable firewalls (or even simple reverse proxies) would disarm potential DoS attacks, but there is definitely a risk of DoS when Node.js applications expose TLS/HTTPS servers directly and without protective measures.
  • CVE-2021-3450 should not affect Node.js applications, unless a native addon uses X509_V_FLAG_X509_STRICT, which is disabled by default.

@gengjiawen gengjiawen requested a review from targos March 31, 2021 06:28
MylesBorins pushed a commit to MylesBorins/node that referenced this pull request Apr 4, 2021
@tniessen @MylesBorins
deps: upgrade openssl sources to 1.1.1k
403a014 
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1k.tar.gz
    $ mv openssl-1.1.1k openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: nodejs#37938
Refs: nodejs#37913
Refs: nodejs#37916
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit to MylesBorins/node that referenced this pull request Apr 4, 2021
@tniessen @MylesBorins
deps: update archs files for OpenSSL-1.1.1k
6bc8f58 
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
   $ make -C deps/openssl/config
   $ git add deps/openssl/config/archs
   $ git add deps/openssl/openssl/include/crypto/bn_conf.h
   $ git add deps/openssl/openssl/include/crypto/dso_conf.h
   $ git add deps/openssl/openssl/include/openssl/opensslconf.h
   $ git commit

PR-URL: nodejs#37938
Refs: nodejs#37913
Refs: nodejs#37916
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@MylesBorins MylesBorins mentioned this pull request Apr 4, 2021
Merged
@MylesBorins
Copy link
Contributor

landed in 6a9ec8d...6bc8f58

@MylesBorins MylesBorins closed this Apr 4, 2021
@tniessen tniessen deleted the v14-openssl-111k branch October 7, 2021 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danbev danbev danbev approved these changes

@gengjiawen gengjiawen gengjiawen approved these changes

@jasnell jasnell Awaiting requested review from jasnell

@targos targos Awaiting requested review from targos

Assignees
No one assigned
Labels
needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@tniessen @nodejs-github-bot @targos @carlzogh @MylesBorins @danbev @gengjiawen