OpenSSL Recent Security Patches
For the vulnerabilities disclosed in the OpenSSL Security Advisories of:
- OpenSSL 3.0.11 - Tuesday 19th September 2023
- OpenSSL 3.0.12 - Tuesday 24th October 2023
Node.js (Windows) is affected by one vulnerability rated as LOW. Therefore, these patches will be released in regular Node.js releases.
Our assessment of the following security advisories:
Node.js is affected by this vulnerability. The CVE-2023-4807 affects Windows users, and the vulnerability is rated as LOW by the OpenSSL Security Team.
Node.js doesn't make use or export
EVP_CipherInit_ex2() functions. Node.js is not affected.
Users who call the affected OpenSSL functions through other means, such as through native addons, can dynamically link against a patched version of OpenSSL until new releases of Node.js are available.
The current Node.js security policy can be found at https://github.com/nodejs/node/security/policy#security, including information on how to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.