Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v17.7.2 proposal #42381

Merged
merged 5 commits into from
Mar 18, 2022
Merged

v17.7.2 proposal #42381

merged 5 commits into from
Mar 18, 2022

Conversation

richardlau
Copy link
Member

A combination of some GitHub issues today and having to take over this release at short notice has resulted in my decision to only pick the OpenSSL commits over for this proposal instead of our usual "treat current as a regular release". This should hopefully reduce the risk and give us more chance of getting the release out today. cc @nodejs/releasers


2022-03-17, Version 17.7.2 (Current), @richardlau

This is a security release.

Notable Changes

Update to OpenSSL 3.0.2, which addresses the following vulnerability:

Commits

  • [55e293e05f] - deps: update archs files for quictls/openssl-3.0.2+quic (Hassaan Pasha) #42356
  • [b8d090603d] - deps: upgrade openssl sources to quictls/openssl-3.0.2+quic (Hassaan Pasha) #42356
  • [c8b6d92af0] - test: fix tests affected by OpenSSL update (Michael Dawson) #42356
  • [457e31ea09] - test: renew certificates for specific test (Luigi Pinca) #42342

lpinca and others added 5 commits March 17, 2022 12:25
Renew the certificates used by
`test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js` by
running the `https_renew_cert.sh` script under the same directory.

PR-URL: #42342
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
This updates all sources in deps/openssl/openssl by:
    $ git clone git@github.com:quictls/openssl.git
    $ cd openssl
    $ cd ../node/deps/openssl
    $ rm -rf openssl
    $ cp -R ../openssl openssl
    $ rm -rf openssl/.git* openssl/.travis*
    $ git add --all openssl
    $ git commit openssl

PR-URL: #42356
Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Michael Dawson <midawson@redhat.com>
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
    $ make -C deps/openssl/config
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl
    $ git commit

PR-URL: #42356
Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Last OpenSSL 3 update changes behaviour back to be
closer to that of OpenSSL 1.1.1. Remove some instances
where we expected different errors from OpenSSL 3 versus
OpenSSL 1.1.1.

Signed-off-by: Michael Dawson <midawson@redhat.com>

PR-URL: #42356
Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Michael Dawson <midawson@redhat.com>
This is a security release.

Notable changes:

Update to OpenSSL 3.0.2, which addresses the following vulnerability:
- Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
  More details are available at https://www.openssl.org/news/secadv/20220315.txt

PR-URL: #42381
@richardlau richardlau added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 17, 2022
@nodejs-github-bot nodejs-github-bot added dependencies Pull requests that update a dependency file. meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. v17.x labels Mar 17, 2022
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 17, 2022
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 17, 2022

Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

richardlau added a commit that referenced this pull request Mar 18, 2022
@richardlau richardlau merged commit db3d882 into v17.x Mar 18, 2022
richardlau added a commit that referenced this pull request Mar 18, 2022
This is a security release.

Notable changes:

Update to OpenSSL 3.0.2, which addresses the following vulnerability:
- Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
  More details are available at https://www.openssl.org/news/secadv/20220315.txt

PR-URL: #42381
richardlau added a commit to richardlau/nodejs.org that referenced this pull request Mar 18, 2022
@aduh95 aduh95 deleted the v17.7.2-proposal branch March 18, 2022 01:25
richardlau added a commit to richardlau/nodejs.org that referenced this pull request Mar 18, 2022
richardlau added a commit to nodejs/nodejs.org that referenced this pull request Mar 18, 2022
xtx1130 pushed a commit to xtx1130/node that referenced this pull request Apr 25, 2022
This is a security release.

Notable changes:

Update to OpenSSL 3.0.2, which addresses the following vulnerability:
- Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
  More details are available at https://www.openssl.org/news/secadv/20220315.txt

PR-URL: nodejs#42381
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file. meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants