-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL 1.0.2l this week #13161
Comments
As long as I see commit logs up to the latest HEAD of 1.0.2, there are several bug fixes in ssl and crypto but no security fixes of even low severity. The back-ported patch of f439065 was applied to Node in a few weeks ago and it is no longer needed after upgrading. I think we need not a security assessment of this openssl release and are not in a hurry to release Node. @nodejs/collaborators I call someone for a volunteer to work on upgrading of the openssl. Its procedure is written in https://github.com/nodejs/node/blob/master/deps/openssl/doc/UPGRADING.md and I will be a reviewer. |
I'd be happy to take a look at this. |
@danbev Okay, please check the doc and ask me if you have any questions. After releasing openssl-1.0.2l on 25th May, you can submit a PR and run CI. I will review it. |
It's out now, https://www.openssl.org/news/openssl-1.0.2-notes.html, I haven't looked at the diff but the release notes are underwhelming:
|
Great, I'm going to take a look at this today. |
All symlink files in deps/openssl/openssl/include/openssl/ are removed and replaced with real header files to avoid issues on Windows. Two files of opensslconf.h in crypto and include dir are replaced to refer config/opensslconf.h. Fixes: #13161 PR-URL: #13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc version was 5.4.0 and nasm version was 2.11.08. Also asm files in asm_obsolete dir to support old compiler and assembler are regenerated without CC and ASM envs. Fixes: #13161 PR-URL: #13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Added the missing make command in steps 6.3 when building asm_obsolete. Also updated the commit message to include the version nasm in addition to the gcc version. Fixes: #13161 PR-URL: #13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
All symlink files in deps/openssl/openssl/include/openssl/ are removed and replaced with real header files to avoid issues on Windows. Two files of opensslconf.h in crypto and include dir are replaced to refer config/opensslconf.h. Fixes: #13161 PR-URL: #13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc version was 5.4.0 and nasm version was 2.11.08. Also asm files in asm_obsolete dir to support old compiler and assembler are regenerated without CC and ASM envs. Fixes: #13161 PR-URL: #13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Added the missing make command in steps 6.3 when building asm_obsolete. Also updated the commit message to include the version nasm in addition to the gcc version. Fixes: #13161 PR-URL: #13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This replaces all sources of openssl-1.0.2l.tar.gz into deps/openssl/openssl Fixes: nodejs#13161 PR-URL: nodejs#13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
All symlink files in deps/openssl/openssl/include/openssl/ are removed and replaced with real header files to avoid issues on Windows. Two files of opensslconf.h in crypto and include dir are replaced to refer config/opensslconf.h. Fixes: nodejs#13161 PR-URL: nodejs#13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Regenerate config files for supported platforms with Makefile. Fixes: nodejs#13161 PR-URL: nodejs#13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc version was 5.4.0 and nasm version was 2.11.08. Also asm files in asm_obsolete dir to support old compiler and assembler are regenerated without CC and ASM envs. Fixes: nodejs#13161 PR-URL: nodejs#13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Added the missing make command in steps 6.3 when building asm_obsolete. Also updated the commit message to include the version nasm in addition to the gcc version. Fixes: nodejs#13161 PR-URL: nodejs#13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This replaces all sources of openssl-1.0.2l.tar.gz into deps/openssl/openssl Fixes: nodejs#13161 PR-URL: nodejs#13233 Backport-PR-URL: nodejs#13695 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
All symlink files in deps/openssl/openssl/include/openssl/ are removed and replaced with real header files to avoid issues on Windows. Two files of opensslconf.h in crypto and include dir are replaced to refer config/opensslconf.h. Fixes: nodejs#13161 PR-URL: nodejs#13233 Backport-PR-URL: nodejs#13695 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This replaces all sources of openssl-1.0.2l.tar.gz into deps/openssl/openssl Fixes: nodejs/node#13161 PR-URL: nodejs/node#13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
All symlink files in deps/openssl/openssl/include/openssl/ are removed and replaced with real header files to avoid issues on Windows. Two files of opensslconf.h in crypto and include dir are replaced to refer config/opensslconf.h. Fixes: nodejs/node#13161 PR-URL: nodejs/node#13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Regenerate config files for supported platforms with Makefile. Fixes: nodejs/node#13161 PR-URL: nodejs/node#13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc version was 5.4.0 and nasm version was 2.11.08. Also asm files in asm_obsolete dir to support old compiler and assembler are regenerated without CC and ASM envs. Fixes: nodejs/node#13161 PR-URL: nodejs/node#13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Added the missing make command in steps 6.3 when building asm_obsolete. Also updated the commit message to include the version nasm in addition to the gcc version. Fixes: nodejs/node#13161 PR-URL: nodejs/node#13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
"These are bug-fix only releases" i.e. I don't believe we'll be rushing anything here, nor does there appear to be a need for an announcement on this (unless somehow this release makes a bit of noise that is unsettling to some just because it's OpenSSL and that's unsettling in itself). So I imagine we'll just be seeing this slot in as a normal dependency upgrade across our active release lines which are all on 1.0.2.
@nodejs/security @nodejs/security-wg — if there are any alternative ideas on policy or procedure on this one please let us know.
The text was updated successfully, but these errors were encountered: