diff --git a/locale/en/blog/vulnerability/mar-2022-security-releases.md b/locale/en/blog/vulnerability/mar-2022-security-releases.md new file mode 100644 index 0000000000000..d605e2955a5da --- /dev/null +++ b/locale/en/blog/vulnerability/mar-2022-security-releases.md @@ -0,0 +1,50 @@ +--- +date: 2022-03-14T12:00:00.000Z +category: vulnerability +title: OpenSSL security releases may require Node.js security releases +slug: openssl-and-high-severity-fixes-mar-2022 +layout: blog-post.hbs +author: Joe Sepi +--- + +### Summary + +The Node.js project may be releasing new versions across all of its supported +release lines late next week to incorporate upstream patches from OpenSSL. +Please read on for full details. + +### OpenSSL + +The OpenSSL project +[announced](https://mta.openssl.org/pipermail/openssl-announce/2022-March/000216.html) +this week that they will be releasing versions 3.0.2 and 1.1.1n on the 15th of +March 2022 between 1300-1700 UTC. The releases will fix two security defects that are +labelled as "HIGH" severity under their +[security policy](https://www.openssl.org/policies/secpolicy.html). + +Node.js v12.x, v14.x and v16.x use OpenSSL v1.1.1 and Node.js v17.x uses OpenSSL +v3. Therefore all active release lines are impacted by this update. + +At this stage, due to embargo, the exact nature of these defects is uncertain +as well as the impact they will have on Node.js users. + +After assessing the impact on Node.js, it will be decided whether the issues +fixed require immediate security releases of Node.js, or whether they can be +included in the normally scheduled updates. + +Please monitor the **nodejs-sec** Google Group for updates, including a +decision within 24 hours after the OpenSSL release regarding release timing, +and full details of the defects upon eventual release: +https://groups.google.com/forum/#!forum/nodejs-sec + +### Contact and future updates + +The current Node.js security policy can be found at +, +including information on how to report a vulnerability in Node.js. + +Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at +https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on +security vulnerabilities and security-related releases of Node.js and the +projects maintained in the +[nodejs GitHub organization](https://github.com/nodejs).