diff --git a/locale/en/blog/vulnerability/september-2019-openssl-updates.md b/locale/en/blog/vulnerability/september-2019-openssl-updates.md new file mode 100644 index 0000000000000..7903ed471f5b4 --- /dev/null +++ b/locale/en/blog/vulnerability/september-2019-openssl-updates.md @@ -0,0 +1,53 @@ +--- +date: 2019-09-05T15:34:35.000Z +category: vulnerability +title: OpenSSL upgrade low-severity Node.js security fixes +slug: openssl-and-low-severity-fixes-sep-2019 +layout: blog-post.hbs +author: Sam Roberts +--- + +### Summary + +The Node.js project may be releasing new versions across all of its supported +release lines early next week to incorporate upstream patches from OpenSSL. +Please read on for full details. + +### OpenSSL + +The OpenSSL project +[announced](https://mta.openssl.org/pipermail/openssl-announce/2019-September/000156.html) +this week that they will be releasing versions 1.0.2t and 1.1.1d on the 10th of +September, UTC. The releases will fix two security defects that are labelled +as "LOW" severity under their +[security policy](https://www.openssl.org/policies/secpolicy.html), +meaning they are: + +> ... issues such as those that only affect the openssl command line utility, +> or unlikely configurations. + +Node.js v8.x use OpenSSL v1.0.2 and Node.js v10.x and v12.x both use OpenSSL +v1.1.1, therefore all active release lines are impacted by this update. + +At this stage, due to embargo, the exact nature of these defects is uncertain +as well as the impact they will have on Node.js users. + +After assessing the impact on Node.js, it will be decided whether the issues +fixed require immediate security releases of Node.js, or whether they can be +included in the normally scheduled updates. + +Please monitor the **nodejs-sec** Google Group for updates, including a +decision within 24 hours after the OpenSSL release regarding release timing, +and full details of the defects upon eventual release: +https://groups.google.com/forum/#!forum/nodejs-sec + +### Contact and future updates + +The current Node.js security policy can be found at , +including information on how to report a vulnerability in Node.js. + +Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at +https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on +security vulnerabilities and security-related releases of Node.js and the +projects maintained in the +[nodejs GitHub organisation](https://github.com/nodejs).