Node: openssl security release 1.1.1g - vulnerability HIGH
Until the OpenSSL release occurs, we won't know if the issue affects Node.js or not.
https://mta.openssl.org/pipermail/openssl-announce/2020-April/000170.html
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL version 1.1.1g.
This release will be made available on Tuesday 21st April 2020 between
1300-1700 UTC.
OpenSSL 1.1.g is a security-fix release. The highest severity issue
fixed in this release is HIGH:
https://www.openssl.org/policies/secpolicy.html#high
Yours
The OpenSSL Project Team
sam-github
All 7 comments
@hassaanp offered to do the openssl update.
sam-github
on 14 Apr 2020
Next TSC meeting will be right after the openssl release, Node.js impact can be discussed then.
public announcement: https://github.com/nodejs/nodejs.org/pull/3113
sam-github
on 17 Apr 2020
@nodejs/releasers Calling for volunteer/volunteers!
Its not known if sec releases will be required yet, but if they are, and need to be expedited, we'll need someone to do the releases.
Affected release lines will be all those currently supported: 10,12,13,14
sam-github
on 20 Apr 2020
I can do 13 and/or 12
targos
on 20 Apr 2020
https://www.openssl.org/news/secadv/20200421.txt is the sec issue addressed
sam-github
on 21 Apr 2020
issue does not affect Node.js:
https://mta.openssl.org/pipermail/openssl-users/2020-April/012269.html
sam-github
on 21 Apr 2020
It does not affect Node.js and therefore I removed it from the tsc agenda.
Seems like there is no action item in general and therefore I close this.
BridgeAR
on 23 Apr 2020
Related issues
Icemic
路
3Comments
akdor1154
路
3Comments
vsemozhetbyt
路
3Comments
mcollina
路
3Comments
addaleax
路
3Comments
Most helpful comment
@hassaanp offered to do the openssl update.