From 4bcf198201c1468e81523f17767c3df6c421c1ca Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Thu, 12 Sep 2019 10:18:08 -0700 Subject: [PATCH] blog: sep 2019 security no-release announcement Fixes: https://github.com/nodejs/node/issues/29445 --- .../september-2019-openssl-no-updates.md | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 locale/en/blog/vulnerability/september-2019-openssl-no-updates.md diff --git a/locale/en/blog/vulnerability/september-2019-openssl-no-updates.md b/locale/en/blog/vulnerability/september-2019-openssl-no-updates.md new file mode 100644 index 000000000000..5afa074192b5 --- /dev/null +++ b/locale/en/blog/vulnerability/september-2019-openssl-no-updates.md @@ -0,0 +1,46 @@ +--- +date: 2019-09-12T17:00:15.000Z +category: vulnerability +title: OpenSSL security releases do not require Node.js security releases +slug: openssl-fixes-unneeded-sep-2019 +layout: blog-post.hbs +author: Sam Roberts +--- + +### Summary + +The OpenSSL Security releases of September 10th, 2019 do not affect Node.js. + +### Analysis + +Our assessment of the [security advisory](https://www.openssl.org/news/secadv/20190910.txt) is: + +- ECDSA remote timing attack (CVE-2019-1547) + Not affected. Node supports only named curves for ECDSA signing. + +- Fork Protection (CVE-2019-1549) + Not affected. Node.js always call `exec()` after `fork()` so will not the + duplicate PRNG state in the forked process. + +- Padding Oracle in `PKCS7_dataDecode` and `CMS_decrypt_set1_pkey` (CVE-2019-1563) + Not affected. Node does not support PCKS7 and CMS. + +Given this assessment, the OpenSSL updates will be treated as non-security +patch updates, and will come out in the regularly scheduled updates to +supported release lines. + +### Acknowledgements + +Thanks to [Shigeki Ohtsu](https://github.com/shigeki) for his rapid analysis +of the OpenSSL security advisory. + +### Contact and future updates + +The current Node.js security policy can be found at , +including information on how to report a vulnerability in Node.js. + +Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at +https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on +security vulnerabilities and security-related releases of Node.js and the +projects maintained in the +[nodejs GitHub organisation](https://github.com/nodejs).