OpenSSL Recent Security Patches

Created on November 12, 2023 at 10:46 am

OpenSSL Recent Security Patches

Summary

For the vulnerabilities disclosed in the OpenSSL Security Advisories ORG of:

OpenSSL 3.0.11 – Tuesday 19th September 2023 DATE

OpenSSL 3.0.12 – Tuesday 24th October 2023 DATE

Node.js (Windows) is affected by one CARDINAL vulnerability rated as LOW. Therefore, these patches will be released in regular Node.js releases.

Analysis

Our assessment of the following security advisories:

is:

POLY1305 MAC ORG implementation corrupts XMM ORG registers on Windows ORG ( CVE-2023-4807 ORG ) – Low

Node.js is affected by this vulnerability. The CVE-2023-4807 ORG affects Windows ORG users, and the vulnerability is rated as LOW by the OpenSSL Security Team ORG .

Incorrect PERSON cipher key & IV length processing ( CVE-2023-5363 ORG ) – Moderate

Node.js doesn’t make use or export EVP_EncryptInit_ex2 ORG () , EVP_DecryptInit_ex2 GPE () or EVP_CipherInit_ex2() functions. Node.js is not affected.

Users who call the affected OpenSSL functions through other means, such as through native addons, can dynamically link against a patched version of OpenSSL until new releases of Node.js are available.

The current Node.js security policy can be found at https://github.com/nodejs/node/security/policy#security, including information on how to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec ORG to stay up to date on security vulnerabilities and security-related releases of Node.js ORG and the projects maintained in the nodejs GitHub organization.

Connecting to blog.lzomedia.com... Connected... Page load complete