OpenSSL and zlib update assessment, and Node.js Assessment workflow

Summary

The vulnerability in the OpenSSL Security release of Oct 11 2022 does not affect any active Node.js release lines, as well
as the zlib vulnerability (CVE-2022-37434) patched on the zlib Security release of Oct 13 2022, does not affect Node.js.

Analysis OpenSSL

Our assessment of the security advisory is:

Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358)

Node.js doesn’t call EVP_CIPHER_meth_new(NID_undef, ...). Therefore, Node.js is not affected by this vulnerability.

Analysis zlib

Our assessment of the CVE-2022-37434 is:

Buffer overflow in inflate via a large gzip header extra field

Node.js doesn’t call inflateGetHeader. Therefore, Node.js is not affected by this vulnerability.

Further information, see: nodejs-dependency-vuln-assessments#50.

Node.js Vulnerability Assessment workflow

The Node.js Security team created an automated workflow that aims to address all the public CVE of Node.js dependencies.

This initiative aims to reduce the gap between a dependency security release and a Node.js assessment.
The repository is available at nodejs/nodejs-dependency-vuln-assessments, and the assessments are made through the
issues.

Ensure to watch the repository if you are interested in security patches.

Contact and future updates

The current Node.js security policy can be found at https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security,
including information on how to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at
https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on
security vulnerabilities and security-related releases of Node.js and the
projects maintained in the
Node.js GitHub organization.


This content originally appeared on Node.js Blog and was authored by Rafael Gonzaga

Summary

The vulnerability in the OpenSSL Security release of Oct 11 2022 does not affect any active Node.js release lines, as well as the zlib vulnerability (CVE-2022-37434) patched on the zlib Security release of Oct 13 2022, does not affect Node.js.

Analysis OpenSSL

Our assessment of the security advisory is:

Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358)

Node.js doesn't call EVP_CIPHER_meth_new(NID_undef, ...). Therefore, Node.js is not affected by this vulnerability.

Analysis zlib

Our assessment of the CVE-2022-37434 is:

Buffer overflow in inflate via a large gzip header extra field

Node.js doesn't call inflateGetHeader. Therefore, Node.js is not affected by this vulnerability.

Further information, see: nodejs-dependency-vuln-assessments#50.

Node.js Vulnerability Assessment workflow

The Node.js Security team created an automated workflow that aims to address all the public CVE of Node.js dependencies.

This initiative aims to reduce the gap between a dependency security release and a Node.js assessment. The repository is available at nodejs/nodejs-dependency-vuln-assessments, and the assessments are made through the issues.

Ensure to watch the repository if you are interested in security patches.

Contact and future updates

The current Node.js security policy can be found at https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security, including information on how to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the Node.js GitHub organization.


This content originally appeared on Node.js Blog and was authored by Rafael Gonzaga


Print Share Comment Cite Upload Translate Updates
APA

Rafael Gonzaga | Sciencx (2022-10-24T20:00:15+00:00) OpenSSL and zlib update assessment, and Node.js Assessment workflow. Retrieved from https://www.scien.cx/2022/10/24/openssl-and-zlib-update-assessment-and-node-js-assessment-workflow/

MLA
" » OpenSSL and zlib update assessment, and Node.js Assessment workflow." Rafael Gonzaga | Sciencx - Monday October 24, 2022, https://www.scien.cx/2022/10/24/openssl-and-zlib-update-assessment-and-node-js-assessment-workflow/
HARVARD
Rafael Gonzaga | Sciencx Monday October 24, 2022 » OpenSSL and zlib update assessment, and Node.js Assessment workflow., viewed ,<https://www.scien.cx/2022/10/24/openssl-and-zlib-update-assessment-and-node-js-assessment-workflow/>
VANCOUVER
Rafael Gonzaga | Sciencx - » OpenSSL and zlib update assessment, and Node.js Assessment workflow. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2022/10/24/openssl-and-zlib-update-assessment-and-node-js-assessment-workflow/
CHICAGO
" » OpenSSL and zlib update assessment, and Node.js Assessment workflow." Rafael Gonzaga | Sciencx - Accessed . https://www.scien.cx/2022/10/24/openssl-and-zlib-update-assessment-and-node-js-assessment-workflow/
IEEE
" » OpenSSL and zlib update assessment, and Node.js Assessment workflow." Rafael Gonzaga | Sciencx [Online]. Available: https://www.scien.cx/2022/10/24/openssl-and-zlib-update-assessment-and-node-js-assessment-workflow/. [Accessed: ]
rf:citation
» OpenSSL and zlib update assessment, and Node.js Assessment workflow | Rafael Gonzaga | Sciencx | https://www.scien.cx/2022/10/24/openssl-and-zlib-update-assessment-and-node-js-assessment-workflow/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts