Skip to content

OpenSSL releases on Nov 20th #24370

Closed
Closed
OpenSSL releases on Nov 20th#24370
@rvagg

Description

@rvagg
rvagg
opened on Nov 14, 2018

https://mta.openssl.org/pipermail/openssl-announce/2018-November/000138.html

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1a, 1.1.0j and 1.0.2q.

These releases will be made available on 20th November 2018 between
approximately 1300-1700 UTC.

These are bug-fix releases. They also contain the fixes for three LOW
severity security issues CVE-2018-0735, CVE-2018-0734 and CVE-2018-5407 which
were previously announced here:

https://www.openssl.org/news/secadv/20181029.txt
https://www.openssl.org/news/secadv/20181030.txt
https://www.openssl.org/news/secadv/20181112.txt

CVE-2018-0735 only affects the 1.1.0 branch.
CVE-2018-0734 affects the 1.1.1, 1.1.0 and 1.0.2 branches.
CVE-2018-5407 affects the 1.0.2 branch. It also affects older 1.1.0 releases
before 1.1.0i.

These are fixes I've been floating but haven't yet made it into releases:

The impression they were giving was that they were not going to bother with releases any time soon for these flaws. But now they are doing it. I'm not sure if that's because they are reconsidering their approach or because they didn't signal it well enough (or I picked up on the wrong signal).

With these new releases, all of those commits can be ignored and we'll get full increments of all OpenSSL. We haven't released any of these cherry-picks yet and now we won't need to.

/cc @nodejs/crypto @nodejs/security

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions