v16.14.2 proposal #42385

richardlau · 2022-03-17T21:40:16Z

2022-03-17, Version 16.14.2 'Gallium' (LTS), @richardlau

This is a security release.

Notable Changes

Update to OpenSSL 1.1.1n, which addresses the following vulnerability:

Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
More details are available at https://www.openssl.org/news/secadv/20220315.txt

Commits

[3924618c74] - deps: update archs files for OpenSSL-1.1.1 (Hassaan Pasha) #42352
[7a6a870d58] - deps: upgrade openssl sources to OpenSSL_1_1_1n (Hassaan Pasha) #42352
[c533b430f4] - test: fix tests affected by OpenSSL update (Michael Dawson) #42352

This updates all sources in deps/openssl/openssl by: $ git clone https://github.com/quictls/openssl $ cd openssl $ git checkout OpenSSL_1_1_1n+quic $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../openssl openssl $ rm -rf openssl/.git* openssl/.travis* $ git add --all openssl $ git commit openssl PR-URL: #42352 Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000218.html Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Danielle Adams <adamzdanielle@gmail.com>

After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl/include/crypto/bn_conf.h $ git add deps/openssl/openssl/include/crypto/dso_conf.h $ git add deps/openssl/openssl/include/openssl/opensslconf.h $ git commit PR-URL: #42352 Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000218.html Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Danielle Adams <adamzdanielle@gmail.com>

Last OpenSSL 3 update changes behaviour back to be closer to that of OpenSSL 1.1.1. Remove some instances where we expected different errors from OpenSSL 3 versus OpenSSL 1.1.1. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #42352 Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000218.html Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Danielle Adams <adamzdanielle@gmail.com>

This is a security release. Notable changes: Update to OpenSSL 1.1.1n, which addresses the following vulnerability: - Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778) More details are available at https://www.openssl.org/news/secadv/20220315.txt PR-URL: #42385

nodejs-github-bot · 2022-03-17T21:41:47Z

CI: https://ci.nodejs.org/job/node-test-pull-request/43101/
Release build on 442e84a: https://ci-release.nodejs.org/job/iojs+release/8326/

nodejs-github-bot · 2022-03-17T23:25:22Z

CI: https://ci.nodejs.org/job/node-test-pull-request/43108/

PR-URL: #42385

This is a security release. Notable changes: Update to OpenSSL 1.1.1n, which addresses the following vulnerability: - Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778) More details are available at https://www.openssl.org/news/secadv/20220315.txt PR-URL: #42385

Refs: nodejs/node#42385

This is a security release. Notable changes: Update to OpenSSL 1.1.1n, which addresses the following vulnerability: - Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778) More details are available at https://www.openssl.org/news/secadv/20220315.txt PR-URL: nodejs#42385

hassaanp and others added 4 commits March 17, 2022 17:20

nodejs-github-bot added dependencies Pull requests that update a dependency file. meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. v16.x labels Mar 17, 2022

aduh95 approved these changes Mar 17, 2022

View reviewed changes

BethGriggs approved these changes Mar 17, 2022

View reviewed changes

github-actions bot mentioned this pull request Mar 18, 2022

CI Reliability 2022-03-18 nodejs/reliability#224

Open

28 tasks

richardlau added a commit that referenced this pull request Mar 18, 2022

Working on v16.14.3

85e3624

PR-URL: #42385

richardlau merged commit 442e84a into v16.x Mar 18, 2022

richardlau added a commit to richardlau/nodejs.org that referenced this pull request Mar 18, 2022

Blog: v16.14.2 release post

3ad4eab

Refs: nodejs/node#42385

aduh95 deleted the v16.14.2-proposal branch March 18, 2022 01:25

richardlau added a commit to richardlau/nodejs.org that referenced this pull request Mar 18, 2022

Blog: v16.14.2 release post

ac93a44

Refs: nodejs/node#42385

richardlau mentioned this pull request Mar 18, 2022

Blog: v16.14.2 release post nodejs/nodejs.org#4500

Merged

richardlau added a commit to nodejs/nodejs.org that referenced this pull request Mar 18, 2022

Blog: v16.14.2 release post (#4500)

35c8637

Refs: nodejs/node#42385

github-actions bot mentioned this pull request Mar 26, 2022

CI Reliability 2022-03-26 nodejs/reliability#232

Open

26 tasks

github-actions bot mentioned this pull request Mar 27, 2022

CI Reliability 2022-03-27 nodejs/reliability#233

Open

26 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v16.14.2 proposal #42385

v16.14.2 proposal #42385

richardlau commented Mar 17, 2022

nodejs-github-bot commented Mar 17, 2022 •

edited by richardlau

nodejs-github-bot commented Mar 17, 2022

v16.14.2 proposal #42385

v16.14.2 proposal #42385

Conversation

richardlau commented Mar 17, 2022

2022-03-17, Version 16.14.2 'Gallium' (LTS), @richardlau

Notable Changes

Commits

nodejs-github-bot commented Mar 17, 2022 • edited by richardlau

nodejs-github-bot commented Mar 17, 2022

nodejs-github-bot commented Mar 17, 2022 •

edited by richardlau