-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL upgrades: May 3rd #6458
Comments
I can be available at that time. CVE-2016-2109 was already fixed in openssl/openssl@f327740. It is DoS against ASN.1 BIO api and seems to be low severity. ALPN behavior was also changed in openssl/openssl@af2db04. I will check if it affects Node before release. |
Who is doing these? I'm around to do v5 or v6. From the LTS call I think @thealphanerd will take v4, @jasnell maybe taking 0.10 / 0.12? |
I can help too on v5/v6 if needed |
I can definitely do v0.10 and v0.12 unless someone else wants to take one of them. |
Actually, let me take that back. I've had a couple things pop up today that are going to take quite a bit of my time this week. Would be great if someone else can take v0.10 and v0.12 but if there's no one else who can I'll try to make it work. |
I'd like to do v0.10 and v0.12, I've had enough practice with their quirks so far that I wouldn't mind keeping that focus. @thealphanerd has v4 and offered v5 too but IMO it'd be good to have a singular focus on v4 to keep that solid. @evanlucas and @Fishrock123 how about you toss a coin for v5 and v6? As I said in nodejs/security we've set the precedent that we don't release pure security releases with non-LTS lines so you can include as much other stuff as you're comfortable, that's up to you. |
SGTM. I'll get a proposal out in the am |
fwiw we set the expectation that releases would be on or after Thursday, UTC, so there's no great rush and the severity indicators the team has come up with so far don't look particularly dramatic either, so no panic! |
I'll do v6? |
@evanlucas You can take it over if you'd really like. I don't really have an opinion if it should be a minor or not, I hadn't looked at how big the minors were, we could cut them out and do a patch potentially. v5 will be easy imo. I doubt we'll backport much/anything else. |
@Fishrock123 ah sorry, totally missed your open pr. I'll take v5 since you already have that proposal out. |
@shigeki @bnoordhuis @indutny here's my workup of your assessment, I'll post this shortly on nodejs-sec and nodejs.org: (Update 4-May-2016) OpenSSL Impact AssessmentOur crypto team (Ben Noordhuis, Shigeki Ohtsu and Fedor Indutny) have performed an analysis of the defects addressed in this week's OpenSSL releases, 1.0.2h and 1.0.1t. The results of this analysis are included below. We will be producing new versions this week for all of our active release lines containing the new versions of OpenSSL in order to provide security assurance. We will provide an update here once all releases are available. We anticipate that they will be available on, or soon after, Thursday the 5th of May, UTC. CVE-2016-2107: Padding oracle in AES-NI CBC MAC checkA man-in-the-middle (MITM) attacker may be able to execute a padding oracle attack to decrypt traffic when a connection uses an AES-CBC cipher and the server runs on an Intel CPU supporting AES-NI. This is a common configuration for TLS servers. The OpenSSL project has labelled this vulnerability high severity. Assessment: All versions of Node.js are affected by this vulnerability. CVE-2016-2105: EVP_EncodeUpdate overflowAn overflow can occur in the OpenSSL Node.js uses the The OpenSSL project has labelled this vulnerability low severity.
CVE-2016-2108: Memory corruption in the ASN.1 encoderAssessment: All versions of Node.js are believed to be unaffected by this vulnerability. CVE-2016-2106: EVP_EncryptUpdate overflowAssessment: All versions of Node.js are believed to be unaffected by this vulnerability CVE-2016-2109: ASN.1 BIO excessive memory allocation (CVE-2016-2109)Assessment: All versions of Node.js are believed to be unaffected by this vulnerability CVE-2016-2176: EBCDIC overreadAssessment: All versions of Node.js are believed to be unaffected by this vulnerability |
@rvagg LGTM. Good write-up. |
LGTM |
thanks! posted to both places. |
LTGM |
All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows. Two files of opensslconf.h in crypto and include dir are replaced to refer config/opensslconf.h. Fixes: #6458 PR-URL: #6550 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Regenerate asm files with Makefile and CC=gcc and ASM=gcc where gcc-4.8.4. Also asm files in asm_obsolete dir to support old compiler and assembler are regenerated without CC and ASM envs. Fixes: #6458 PR-URL: #6550 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
openssl/openssl@af2db04 changed some ALPN behaviors. The tests when ALPN has no selection should be fixed because openssl was changed NPN callback to be invoked in this case. Fixes: #6458 PR-URL: #6550 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This replaces all sources of openssl-1.0.2h.tar.gz into deps/openssl/openssl Fixes: nodejs#6458 PR-URL: nodejs#6550 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows. Two files of opensslconf.h in crypto and include dir are replaced to refer config/opensslconf.h. Fixes: nodejs#6458 PR-URL: nodejs#6550 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Regenerate asm files with Makefile and CC=gcc and ASM=gcc where gcc-4.8.4. Also asm files in asm_obsolete dir to support old compiler and assembler are regenerated without CC and ASM envs. Fixes: nodejs#6458 PR-URL: nodejs#6550 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
openssl/openssl@af2db04 changed some ALPN behaviors. The tests when ALPN has no selection should be fixed because openssl was changed NPN callback to be invoked in this case. Fixes: nodejs#6458 PR-URL: nodejs#6550 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Thanks to everyone involved in patching and fixing this release, very smooth and relatively pain free. I've received feedback on our security processes incl. announcements, analyses and lead-time planning and I believe we're in a really good place with users' level of trust in the predictability, stability and integrity of how we conduct ourselves around these important releases. |
This just replaces all sources of openssl-1.0.1t.tar.gz into deps/openssl/openssl. Fixes: nodejs/node#6458 PR-URL: nodejs/node#6553 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows. Fixes: nodejs/node#6458 PR-URL: nodejs/node#6553 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Regenerate asm files with Makefile without CC and ASM envs. Fixes: nodejs/node#6458 PR-URL: nodejs/node#6553 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
cherry-pick 65030c7 from v6-staging. openssl/openssl@af2db04 changed some ALPN behaviors. The tests when ALPN has no selection should be fixed because openssl was changed NPN callback to be invoked in this case. Fixes: #6458 PR-URL: #6550 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
cherry-pick 65030c7 from v6-staging. openssl/openssl@af2db04 changed some ALPN behaviors. The tests when ALPN has no selection should be fixed because openssl was changed NPN callback to be invoked in this case. Fixes: #6458 PR-URL: #6550 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
cherry-pick 65030c7 from v6-staging. openssl/openssl@af2db04 changed some ALPN behaviors. The tests when ALPN has no selection should be fixed because openssl was changed NPN callback to be invoked in this case. Fixes: #6458 PR-URL: #6550 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
As per https://mta.openssl.org/pipermail/openssl-announce/2016-April/000069.html we are in for another batch of Node.js updates around the 3rd.
As per the security policy:
The last couple of OpenSSL upgrades have been the same severity level and we have had mixed impact from them across our release lines. Node.js v0.10, v0.12, v4, v5 and v6 will all be impacted by this (yes we'll still be updating v5) but the impact could range between none and high for us and we won't know until the release.
As has been our established practice, we will be putting out new releases regardless of impact but we will also be putting out an impact assessment for our release lines prior to cutting the releases. We will not be committing to a time-frame for release but _estimate_ between 24 and 48 hours after we get our hands on the OpenSSL releases. With an impact assessment somewhere within the 24 hour mark.
I'll prepare an announcement for nodejs-sec and nodejs.org asap and it'll be roughly a copy of what we've used in the past for these.
Also, I spoke to one of the OpenSSL maintainers at Collab Summit a couple of months ago and specifically queried their release process, both in terms of frequency and also lead-time. Basically the story is that the lead time isn't going to improve, we'll just have to accept that we react to these, and the frequency is not fixed but we can probably expect roughly the frequency that we've been experiencing this year—a release every one or two months.
Even though I'd love better scheduling and much more lead time from them than we get, my take-away is that the OpenSSL project is in very good hands these days. Code quality is improving, processes are solidifying, investment has increased and there are multiple full-timers on the project now. I have a much higher level of confidence in the project than was warranted a couple of years ago.
/ @nodejs/security
The text was updated successfully, but these errors were encountered: