Skip to content

[v14.x] deps: upgrade openssl sources to 1.1.1k#37938

Closed
tniessen wants to merge 2 commits intonodejs:v14.x-stagingfrom
tniessen:v14-openssl-111k
Closed

[v14.x] deps: upgrade openssl sources to 1.1.1k#37938
tniessen wants to merge 2 commits intonodejs:v14.x-stagingfrom
tniessen:v14-openssl-111k

Conversation

@tniessen
Copy link
Member

@tniessen tniessen commented Mar 27, 2021

Refs: #37913
Refs: #37916

tniessen added 2 commits March 27, 2021 00:50
@tniessen
deps: upgrade openssl sources to 1.1.1k
0ba0a5f 
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1k.tar.gz
    $ mv openssl-1.1.1k openssl
    $ git add --all openssl
    $ git commit openssl
@tniessen
deps: update archs files for OpenSSL-1.1.1k
b3fa6e2 
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
   $ make -C deps/openssl/config
   $ git add deps/openssl/config/archs
   $ git add deps/openssl/openssl/include/crypto/bn_conf.h
   $ git add deps/openssl/openssl/include/crypto/dso_conf.h
   $ git add deps/openssl/openssl/include/openssl/opensslconf.h
   $ git commit
@tniessen tniessen requested a review from jasnell March 27, 2021 00:06
@nodejs-github-bot nodejs-github-bot added needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. v14.x labels Mar 27, 2021
@tniessen tniessen mentioned this pull request Mar 27, 2021
Closed
@nodejs-github-bot

This comment has been minimized.

Sign in to view
@nodejs-github-bot

This comment has been minimized.

Sign in to view
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 27, 2021

CI: https://ci.nodejs.org/job/node-test-pull-request/37018/

@targos
Copy link
Member

targos commented Mar 27, 2021
edited
Loading

There are failing tests in CI that seem related

Edit: the GitHub checks are outdated.

@tniessen
Copy link
Member Author

tniessen commented Mar 27, 2021

CI and GitHub Actions are ✔️

@carlzogh
Copy link

carlzogh commented Mar 30, 2021
edited
Loading

When can we expect this patch to land in LTS releases (10, 12, and 14)? OpenSSL 1.1.1k contains fixes for two high-severity vulnerabilities (ref. OpenSSL 1.1.1 release notes)

@tniessen
Copy link
Member Author

tniessen commented Mar 31, 2021

When can we expect this patch to land in LTS releases (10, 12, and 14)?

@carlzogh As usual, an announcement will be made on nodejs.org and on the mailing list as we progress with the preparation of the security releases.

OpenSSL 1.1.1k contains fixes for two high-severity vulnerabilities

That is correct.

  • CVE-2021-3449 is a vulnerability in the TLS server implementation of OpenSSL. I assume that most TLS-capable firewalls (or even simple reverse proxies) would disarm potential DoS attacks, but there is definitely a risk of DoS when Node.js applications expose TLS/HTTPS servers directly and without protective measures.
  • CVE-2021-3450 should not affect Node.js applications, unless a native addon uses X509_V_FLAG_X509_STRICT, which is disabled by default.

@gengjiawen gengjiawen requested a review from targos March 31, 2021 06:28
MylesBorins pushed a commit to MylesBorins/node that referenced this pull request Apr 4, 2021
@tniessen @MylesBorins
deps: upgrade openssl sources to 1.1.1k
403a014 
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1k.tar.gz
    $ mv openssl-1.1.1k openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: nodejs#37938
Refs: nodejs#37913
Refs: nodejs#37916
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit to MylesBorins/node that referenced this pull request Apr 4, 2021
@tniessen @MylesBorins
deps: update archs files for OpenSSL-1.1.1k
6bc8f58 
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
   $ make -C deps/openssl/config
   $ git add deps/openssl/config/archs
   $ git add deps/openssl/openssl/include/crypto/bn_conf.h
   $ git add deps/openssl/openssl/include/crypto/dso_conf.h
   $ git add deps/openssl/openssl/include/openssl/opensslconf.h
   $ git commit

PR-URL: nodejs#37938
Refs: nodejs#37913
Refs: nodejs#37916
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@MylesBorins MylesBorins mentioned this pull request Apr 4, 2021
Merged
@MylesBorins
Copy link
Contributor

MylesBorins commented Apr 4, 2021

landed in 6a9ec8d...6bc8f58

@MylesBorins MylesBorins closed this Apr 4, 2021
@tniessen tniessen deleted the v14-openssl-111k branch October 7, 2021 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gengjiawen gengjiawen gengjiawen approved these changes

@jasnell jasnell Awaiting requested review from jasnell

@targos targos Awaiting requested review from targos

+1 more reviewer

@danbev danbev danbev approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@tniessen @nodejs-github-bot @targos @carlzogh @MylesBorins @danbev @gengjiawen