Skip to content

doc: post-release announcement Mar 2022 OpenSSL Updates #4497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Mar 18, 2022
Merged

doc: post-release announcement Mar 2022 OpenSSL Updates #4497

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3b1aebe
Update mar-2022-security-releases.md
joesepi Mar 17, 2022
2cdeb68
Update mar-2022-security-releases.md
joesepi Mar 17, 2022
486066d
Update mar-2022-security-releases.md
joesepi Mar 17, 2022
4647c41
Update mar-2022-security-releases.md
joesepi Mar 18, 2022
abfc2cf
Merge branch 'main' into joesepi-patch-1
joesepi Mar 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 26 additions & 5 deletions locale/en/blog/vulnerability/mar-2022-security-releases.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,40 @@
---
date: 2022-03-16T23:22:00.000Z
date: 2022-03-18T01:52:00.000Z
category: vulnerability
title: OpenSSL security releases require Node.js security releases
slug: openssl-and-high-severity-fixes-mar-2022
layout: blog-post.hbs
author: Joe Sepi
---

# _(Update 16-Mar-2022)_ Summary
# _(Update 18-Mar-2022)_ Security releases available

Updates are now available for v17.x, v16.x, v14.x, and v12.x Node.js release lines to incorporate upstream patches from OpenSSL.

## Update to OpenSSL 3.0.2n and 1.1.1n, (High) (CVE-2022-0778)

Infinite loop in BN_mod_sqrt() reachable when parsing certificates.
More details are available at https://www.openssl.org/news/secadv/20220315.txt

Impacts:
* All versions of the 17.x, 16.x, 14.x, and 12.x releases lines.

## Downloads and release details

* [Node.js v12.22.11 (LTS)](https://nodejs.org/en/blog/release/v12.22.11/)
* [Node.js v14.19.1 (LTS)](https://nodejs.org/en/blog/release/v14.19.1/)
* [Node.js v16.14.2 (LTS)](https://nodejs.org/en/blog/release/v16.14.2/)
* [Node.js v17.7.2 (Current)](https://nodejs.org/en/blog/release/v17.7.2/)

---

### _(Update 16-Mar-2022)_ Summary

The Node.js project will release new versions of the 12.x, 14.x, 16.x, and 17.x
releases lines on or shortly after Thursday, March 17th, 2022 to incorporate
upstream patches from OpenSSL.

## Impact
### Impact

The 17.x release line of Node.js is vulnerable to one High severity issue.

Expand All @@ -23,11 +44,11 @@ The 14.x release line of Node.js is vulnerable to one High severity issue.

The 12.x release line of Node.js is vulnerable to one High severity issue.

## Release timing
### Release timing

Releases will be available on, or shortly after, Thursday, March 17th, 2022.

## Contact and future updates
### Contact and future updates

The current Node.js security policy can be found at https://github.com/nodejs/node/blob/master/SECURITY.md.
Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md
Expand Down