Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v14.x] deps: upgrade openssl sources to 1.1.1k #37938

Closed
wants to merge 2 commits into from

Conversation

tniessen
Copy link
Member

Refs: #37913
Refs: #37916

This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1k.tar.gz
    $ mv openssl-1.1.1k openssl
    $ git add --all openssl
    $ git commit openssl
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
   $ make -C deps/openssl/config
   $ git add deps/openssl/config/archs
   $ git add deps/openssl/openssl/include/crypto/bn_conf.h
   $ git add deps/openssl/openssl/include/crypto/dso_conf.h
   $ git add deps/openssl/openssl/include/openssl/opensslconf.h
   $ git commit
@tniessen tniessen requested a review from jasnell March 27, 2021 00:06
@nodejs-github-bot nodejs-github-bot added needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. v14.x labels Mar 27, 2021
@nodejs-github-bot

This comment has been minimized.

@nodejs-github-bot

This comment has been minimized.

@nodejs-github-bot
Copy link
Collaborator

@targos
Copy link
Member

targos commented Mar 27, 2021

There are failing tests in CI that seem related

Edit: the GitHub checks are outdated.

@tniessen
Copy link
Member Author

CI and GitHub Actions are ✔️

@carlzogh
Copy link

carlzogh commented Mar 30, 2021

When can we expect this patch to land in LTS releases (10, 12, and 14)? OpenSSL 1.1.1k contains fixes for two high-severity vulnerabilities (ref. OpenSSL 1.1.1 release notes)

@tniessen
Copy link
Member Author

When can we expect this patch to land in LTS releases (10, 12, and 14)?

@carlzogh As usual, an announcement will be made on nodejs.org and on the mailing list as we progress with the preparation of the security releases.

OpenSSL 1.1.1k contains fixes for two high-severity vulnerabilities

That is correct.

  • CVE-2021-3449 is a vulnerability in the TLS server implementation of OpenSSL. I assume that most TLS-capable firewalls (or even simple reverse proxies) would disarm potential DoS attacks, but there is definitely a risk of DoS when Node.js applications expose TLS/HTTPS servers directly and without protective measures.
  • CVE-2021-3450 should not affect Node.js applications, unless a native addon uses X509_V_FLAG_X509_STRICT, which is disabled by default.

@gengjiawen gengjiawen requested a review from targos March 31, 2021 06:28
MylesBorins pushed a commit to MylesBorins/node that referenced this pull request Apr 4, 2021
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1k.tar.gz
    $ mv openssl-1.1.1k openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: nodejs#37938
Refs: nodejs#37913
Refs: nodejs#37916
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit to MylesBorins/node that referenced this pull request Apr 4, 2021
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
   $ make -C deps/openssl/config
   $ git add deps/openssl/config/archs
   $ git add deps/openssl/openssl/include/crypto/bn_conf.h
   $ git add deps/openssl/openssl/include/crypto/dso_conf.h
   $ git add deps/openssl/openssl/include/openssl/opensslconf.h
   $ git commit

PR-URL: nodejs#37938
Refs: nodejs#37913
Refs: nodejs#37916
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@MylesBorins MylesBorins mentioned this pull request Apr 4, 2021
@MylesBorins
Copy link
Contributor

landed in 6a9ec8d...6bc8f58

@MylesBorins MylesBorins closed this Apr 4, 2021
@tniessen tniessen deleted the v14-openssl-111k branch October 7, 2021 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants