OpenSSL 3.0.7 update assessment

由 Rafael Gonzaga

Summary

The vulnerability in the OpenSSL Security Advisory of Dec 13 2022 do not affect any active Node.js release lines.

Analysis

Our assessment of the security advisory is:

X.509 Policy Constraints Double Locking (CVE-2022-3996)

Node.js doesn't call OpenSSL as a separate process (so the possibility to use the -policy flag is invalid), nor call the functions X509_VERIFY_PARAM_add0_policy() and X509_VERIFY_PARAM_set1_policies(). Therefore, Node.js is not affected by this vulnerability.

Contact and future updates

The current Node.js security policy can be found at https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security, including information on how to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

回到页顶