OpenSSL releases on Nov 20th

[rvagg]

https://mta.openssl.org/pipermail/openssl-announce/2018-November/000138.html

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1a, 1.1.0j and 1.0.2q.

These releases will be made available on 20th November 2018 between
approximately 1300-1700 UTC.

These are bug-fix releases. They also contain the fixes for three LOW
severity security issues CVE-2018-0735, CVE-2018-0734 and CVE-2018-5407 which
were previously announced here:

https://www.openssl.org/news/secadv/20181029.txt
https://www.openssl.org/news/secadv/20181030.txt
https://www.openssl.org/news/secadv/20181112.txt

CVE-2018-0735 only affects the 1.1.0 branch.
CVE-2018-0734 affects the 1.1.1, 1.1.0 and 1.0.2 branches.
CVE-2018-5407 affects the 1.0.2 branch. It also affects older 1.1.0 releases
before 1.1.0i.

These are fixes I've been floating but haven't yet made it into releases:

• deps: float 99540ec from openssl (CVE-2018-0735) #23950 CVE-2018-0735 for 10.x+ (landed)
• deps: float two (more) OpenSSL patches for DSA vulnerabilities #23965 CVE-2018-0734 for 10.x+ and an additional non-CVE vuln (that should get a CVE IMO but not their policy) (landed)
• deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on) #24353 CVE-2018-0734 follow-on for additional problem that was introduced with the CVE-2018-0734 fix (a calculation not being constant-time) (in review)
• deps: float b18162a7c from openssl (CVE-2018-5407) (8.x and 6.x only) #24352 for CVE-2018-5407 for 6.x & 8.x (in review)
• OpenSSL float backports for 8.x and 6.x #24354 to backport deps: float two (more) OpenSSL patches for DSA vulnerabilities #23965 and deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on) #24353 to 8.x and 6.x (in review)

The impression they were giving was that they were not going to bother with releases any time soon for these flaws. But now they are doing it. I'm not sure if that's because they are reconsidering their approach or because they didn't signal it well enough (or I picked up on the wrong signal).

With these new releases, all of those commits can be ignored and we'll get full increments of all OpenSSL. We haven't released any of these cherry-picks yet and now we won't need to.

/cc @nodejs/crypto @nodejs/security

[sam-github]

@rvagg I've never done an openssl letter upgrade, but I'd like to. Shall I take a shot at the 10.x/11.x update from openssl 1.1.0i to 1.1.0j? I could start tomorrow.

[rvagg]

@sam-github you'll have to wait till the 20th to get full releases. You're welcome to practice though! It's all documented in deps/openssl/README.md and deps/openssl/config/README.md

[sam-github]

Releases occurred as announced:

• https://www.openssl.org/news/openssl-1.1.0-notes.html
• https://www.openssl.org/news/openssl-1.0.2-notes.html

[rvagg]

FYI: Landing in #24523 & #24530 thanks to Sam. Going out next week as per https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

[AdamMajer]

There seems to be typos in the release blogs w.r.t. CVE numbers.

https://nodejs.org/en/blog/release/v11.3.0/

needs to change CVE-2019-0735 -> CVE-2018-0735

Also changelogs are effected,
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V11.md#11.3.0

The git changelog messages seem correct