Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: post-release announcement Mar 2022 OpenSSL Updates #4497

Merged
merged 5 commits into from
Mar 18, 2022
Merged
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 26 additions & 5 deletions locale/en/blog/vulnerability/mar-2022-security-releases.md
Original file line number Diff line number Diff line change
@@ -1,19 +1,40 @@
---
date: 2022-03-16T23:22:00.000Z
date: 2022-03-18T09:00:00.000Z
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't remember if we ran into issues if the date/time was in the future, so we might want to check this value before merging.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup. Was just about to update it to be more accurate. Thanks!

category: vulnerability
title: OpenSSL security releases require Node.js security releases
slug: openssl-and-high-severity-fixes-mar-2022
layout: blog-post.hbs
author: Joe Sepi
---

# _(Update 16-Mar-2022)_ Summary
# _(Update 18-Mar-2022)_ Security releases available

Updates are now available for v17.x, v16.x, v14.x, and v12.x Node.js release lines to incorporate upstream patches from OpenSSL.

## Update to OpenSSL 3.0.2n and 1.1.1n, (High) (CVE-2022-0778)

Infinite loop in BN_mod_sqrt() reachable when parsing certificates.
More details are available at https://www.openssl.org/news/secadv/20220315.txt

Impacts:
* All versions of the 17.x, 16.x, 14.x, and 12.x releases lines.

## Downloads and release details

* [Node.js v12.22.11 (LTS)](https://nodejs.org/en/blog/release/v12.22.11/)
* [Node.js v14.19.1 (LTS)](https://nodejs.org/en/blog/release/v14.19.1/)
* [Node.js v16.14.2 (LTS)](https://nodejs.org/en/blog/release/v16.14.2/)
* [Node.js v17.7.2 (Current)](https://nodejs.org/en/blog/release/v17.7.2/)

---

### _(Update 16-Mar-2022)_ Summary

The Node.js project will release new versions of the 12.x, 14.x, 16.x, and 17.x
releases lines on or shortly after Thursday, March 17th, 2022 to incorporate
upstream patches from OpenSSL.

## Impact
### Impact

The 17.x release line of Node.js is vulnerable to one High severity issue.

@@ -23,11 +44,11 @@ The 14.x release line of Node.js is vulnerable to one High severity issue.

The 12.x release line of Node.js is vulnerable to one High severity issue.

## Release timing
### Release timing

Releases will be available on, or shortly after, Thursday, March 17th, 2022.

## Contact and future updates
### Contact and future updates

The current Node.js security policy can be found at https://github.com/nodejs/node/blob/master/SECURITY.md.
Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md