OpenSSL 3.0.7 update assessment
The vulnerability in the OpenSSL Security Advisory of Dec 13 2022 do not affect any active Node.js release lines.
Our assessment of the security advisory is:
X.509 Policy Constraints Double Locking (CVE-2022-3996)
Node.js doesn't call OpenSSL as a separate process (so the possibility to use the
-policy flag is invalid), nor call
Therefore, Node.js is not affected by this vulnerability.
Contact and future updates
The current Node.js security policy can be found at https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security, including information on how to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.