-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL releases on Nov 20th #24370
Comments
@rvagg I've never done an openssl letter upgrade, but I'd like to. Shall I take a shot at the 10.x/11.x update from openssl 1.1.0i to 1.1.0j? I could start tomorrow. |
@sam-github you'll have to wait till the 20th to get full releases. You're welcome to practice though! It's all documented in deps/openssl/README.md and deps/openssl/config/README.md |
Releases occurred as announced: |
FYI: Landing in #24523 & #24530 thanks to Sam. Going out next week as per https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ |
There seems to be typos in the release blogs w.r.t. CVE numbers. https://nodejs.org/en/blog/release/v11.3.0/ needs to change CVE-2019-0735 -> CVE-2018-0735 Also changelogs are effected, The git changelog messages seem correct |
https://mta.openssl.org/pipermail/openssl-announce/2018-November/000138.html
These are fixes I've been floating but haven't yet made it into releases:
The impression they were giving was that they were not going to bother with releases any time soon for these flaws. But now they are doing it. I'm not sure if that's because they are reconsidering their approach or because they didn't signal it well enough (or I picked up on the wrong signal).
With these new releases, all of those commits can be ignored and we'll get full increments of all OpenSSL. We haven't released any of these cherry-picks yet and now we won't need to.
/cc @nodejs/crypto @nodejs/security
The text was updated successfully, but these errors were encountered: