From b2521005c5767e6e68193e8b2687d3b3920b1c91 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Wed, 25 Oct 2023 10:52:54 -0300 Subject: [PATCH] blog: add openssl assessment --- ...enssl-fixes-in-regular-releases-oct2023.md | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-oct2023.md diff --git a/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-oct2023.md b/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-oct2023.md new file mode 100644 index 0000000000000..42489b9074f5c --- /dev/null +++ b/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-oct2023.md @@ -0,0 +1,49 @@ +--- +date: 2023-10-25:00:15.000Z +category: vulnerability +title: OpenSSL Recent Security Patches +slug: openssl-fixes-in-regular-releases-oct2023 +layout: blog-post.hbs +author: Rafael Gonzaga +--- + +## Summary + +The vulnerabilities released in the OpenSSL Security Advisory of: + +- OpenSSL 3.0.11 - Tuesday 19th September 2023 +- OpenSSL 3.0.12 - Tuesday 24th October 2023 + +Node.js (Windows) is affected by one vulnerability rated as LOW. +Therefore, these patches will be released in regular releases. + +## Analysis + +Our assessment of the following security advisories: + +- [OpenSSL 3.0.11](https://mta.openssl.org/pipermail/openssl-announce/2023-September/000273.html) +- [OpenSSL 3.0.12](https://mta.openssl.org/pipermail/openssl-announce/2023-October/000282.html) + +is: + +### POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807) - Low + +Node.js is affected by this vulnerability. The CVE-2023-4807 +affects Windows users, and the vulnerability is rated as LOW by OpenSSL +Security Team. + +### Incorrect cipher key & IV length processing (CVE-2023-5363) - Moderate + +Node.js doesn't make use or export `EVP_EncryptInit_ex2()`, `EVP_DecryptInit_ex2()` or +`EVP_CipherInit_ex2()` functions. Node.js is not affected. + +### Contact and future updates + +The current Node.js security policy can be found at , +including information on how to report a vulnerability in Node.js. + +Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at +https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on +security vulnerabilities and security-related releases of Node.js and the +projects maintained in the +[nodejs GitHub organization](https://github.com/nodejs).