blog: add openssl assessment

pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-oct2023.md

@@ -0,0 +1,49 @@
+---
+date: 2023-10-25:00:15.000Z
+category: vulnerability
+title: OpenSSL Recent Security Patches
+slug: openssl-fixes-in-regular-releases-oct2023
+layout: blog-post.hbs
+author: Rafael Gonzaga
+---
+
+## Summary
+
+The vulnerabilities released in the OpenSSL Security Advisory of:
+
+- OpenSSL 3.0.11 - Tuesday 19th September 2023
+- OpenSSL 3.0.12 - Tuesday 24th October 2023
+
+Node.js (Windows) is affected by one vulnerability rated as LOW.
+Therefore, these patches will be released in regular releases.
+
+## Analysis
+
+Our assessment of the following security advisories:
+
+- [OpenSSL 3.0.11](https://mta.openssl.org/pipermail/openssl-announce/2023-September/000273.html)
+- [OpenSSL 3.0.12](https://mta.openssl.org/pipermail/openssl-announce/2023-October/000282.html)
+
+is:
+
+### POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807) - Low
+
+Node.js is affected by this vulnerability. The CVE-2023-4807
+affects Windows users, and the vulnerability is rated as LOW by OpenSSL
+Security Team.
+
+### Incorrect cipher key & IV length processing (CVE-2023-5363) - Moderate
+
+Node.js doesn't make use or export `EVP_EncryptInit_ex2()`, `EVP_DecryptInit_ex2()` or
+`EVP_CipherInit_ex2()` functions. Node.js is not affected.
+
+### Contact and future updates
+
+The current Node.js security policy can be found at <https://github.com/nodejs/node/security/policy#security>,
+including information on how to report a vulnerability in Node.js.
+
+Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at
+https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on
+security vulnerabilities and security-related releases of Node.js and the
+projects maintained in the
+[nodejs GitHub organization](https://github.com/nodejs).