OpenSSL v3.0.13+quic1 in Node.js v18 and v20 #51734

openpef · 2024-02-12T19:33:23Z

Hi folks,

I've noticed that OpenSSL hasn't been updated to v3.0.13+quic1 for node v18.x/v20.x in #51614 and so is still to v3.0.12+quic1

Is there a reason for this?

aduh95 · 2024-02-12T22:04:06Z

See https://nodejs.org/en/blog/vulnerability/february-2024-security-releases. There won't be any releases until the security releases are out. The OpenSSL update will be included if that fixes any of the security issues the security release is trying to address. If it's not included, it will follow the usual backporting process described in https://github.com/nodejs/node/blob/main/doc/contributing/backporting-to-release-lines.md.

Closing as answered, but don't hesitate to ask more questions if you have more.

losonczylaci · 2024-02-14T11:14:20Z

Hey @aduh95, it would fix the CVE-2023-5678 vulnerability (medium severity) of openssl that is being addressed by openssl v3.0.13 (read more here)

openpef changed the title ~~OpenSSL v3.0.13+quic1 in Node.js v18 and/or v20~~ OpenSSL v3.0.13+quic1 in Node.js v18 and v20 Feb 12, 2024

aduh95 closed this as completed Feb 12, 2024

Provide feedback