Description
Doing this here instead of in @nodejs/security since there's nothing sensitive here as far as I can tell. /cc @nodejs/security-wg
Forthcoming OpenSSL releases
============================
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.0g and 1.0.2m.
These releases will be made available on 2nd November 2017 between
approximately 1300-1700 UTC.
This is a bug-fix release. It will also include a fix for the low
severity security issue previously published here:
https://www.openssl.org/news/secadv/20170828.txt
Please also note that, as per our previous announcements, support for
1.0.1 ended on 31st December 2016.
Yours
The OpenSSL Project Team
The issue in question is:
Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
===================================================================
Severity: Low
If an X.509 certificate has a malformed IPAddressFamily extension,
OpenSSL could do a one-byte buffer overread. The most likely result
would be an erroneous display of the certificate in text format.
As this is a low severity fix, no release is being made. The fix can be
found in the source repository (1.0.2, 1.1.0, and master branches); see
https://github.com/openssl/openssl/pull/4276. This bug has been present
since 2006.
So, that's pretty low, I think the only reason this is even listed as a security problem is because it's a buffer over-read and it they're leaving open the possibility that it could be more than just an "erroneous display".
So IMO we shouldn't rush this out but we need to keep up to date with OpenSSL as much as possible to retain trust. So I guess just line this up with the closest releases.
In proposed LTS release schedule, this is going to miss v8.9.0 by 2 days and will then have to wait for a bit over a month for v8.9.1. I assume that Boron has a similar schedule to Carbon in this schedule. Are we OK with letting this dangle for a month? We'd just have to communicate it somewhere publicly.