Node.js security patches delayed by OpenSSL updates

Node.js patches will be delayed by as much as two days due to the impending release of updates to OpenSSL, which is leveraged in Node.js.

The Node.js Foundation announced a week ago that it would have patches out by yesterday to mend issues pertaining to potential denial-of-service and out-of-bound access vulnerabilities. But these security releases will wait until late Thursday or Friday, after OpenSSL releases security updates that impact versions 1.0.2, 1.0.1, 1.0.0 and 0.9.8 of OpenSSL. The intent is to release the Node.js fixes with the OpenSSL upgrades included.

“We understand that the timing of this during the workweek is unfortunate, but we must take into account the possibility of introducing a vulnerability gap between disclosure of OpenSSL vulnerabilities and patched releases by Node.js and therefore must respond as quickly as practical,” said Rod Vagg, foundation technical steering committed director, in a blog post. He added users should be aware that patching and testing of OpenSSL updates is “a nontrivial exercise.”

“We don’t yet know what impact [the OpenSSL fixes] have specifically on Node.js users, but once we get the OpenSSL patches, we will begin testing them,” said Mikeal Rogers, a foundation representative, on Wednesday.

The OpenSSL fixes will mend a number of security defects, the highest of which was classified as “moderate” severity. “Node.js versions v0.10.x and v0.12.x depend on OpenSSL v1.0.1, and versions v4.x (Long-Term Support, Argon) and v5.x depend on OpenSSL v1.0.2, ” Vagg said. “As the Node.js build process statically links OpenSSL into binaries, the security team will be required to release patch-level updates to all of our actively supported versions to include the upstream fixes.”

Vagg said the foundation did not have details on the nature of any of the included vulnerabilities in the OpenSSL fixes. Versions of Node.js that may be vulnerable cover 0.12x 4.x, including LTS Argon and 5.x.