A NULL pointer dereference was found in the signature_algorithmsprocessing in OpenSSL, a Secure Sockets Layer toolkit, which couldresult in denial of service.
The library is the only free, full-featured SSL implementation for C and C, and it can be used programmatically or from the command line to secure most TCP-based network protocols.Network Security with OpenSSL enables developers to use this protocol much more effectively. Traditionally, getting something simple done in OpenSSL could easily. Create, Manage & Convert SSL Certificates with OpenSSL One of the most popular commands in SSL to create, convert, manage the SSL Certificates is OpenSSL. There will be many situations where you have to deal with OpenSSL in various ways, and here I have listed them for you as a handy cheat sheet.
Additional details can be found in the upstream advisory:https://www.openssl.org/news/secadv/20210325.txt
For the stable distribution (buster), this problem has been fixed inversion 1.1.1d-0+deb10u6.
We recommend that you upgrade your openssl packages.
For the detailed security status of openssl please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/openssl
Openssl Security Flaw
The OpenSSL project has released a description of the issue fixed in theOpenSSL 1.1.1g update. It only affects a function which is not calledby Node.js (or its dependencies), and as such, does not affect Node.js.
No Node.js security releases are required.
For more information, see the OpenSSLannouncement.
The previous Node.js announcement can be found below.
The Node.js project may be releasing new versions across all of its supportedrelease lines early next week to incorporate upstream patches from OpenSSL.Please read on for full details.
Openssl Security Advisory
The OpenSSL projectannouncedthis week that they will be releasing version 1.1.1g on the 21st ofApril. The highest severity issue that will be fixed in the releaseis 'HIGH' severity under theirsecurity policy,meaning they are:
... issues that are of a lower risk than critical, perhaps due to affectingless common configurations, or which are less likely to be exploitable.
All supported versions of Node.js use OpenSSL v1.1.1, therefore all activerelease lines are impacted by this update: v10.x, v12.x, v13.x, and v14.x (14.0.0 is to be released on the 21st of April, by coincidence).
Openssl Security Bug
At this stage, due to embargo, the exact nature of these defects is uncertainas well as the impact they will have on Node.js users.
Openssl Security Flaw
After assessing the impact on Node.js, it will be decided whether the issuesfixed require immediate security releases of Node.js, or whether they can beincluded in the normally scheduled updates.
Please monitor the nodejs-sec Google Group for updates, including adecision within 24 hours after the OpenSSL release regarding release timing,and full details of the defects upon eventual release:https://groups.google.com/forum/#!forum/nodejs-sec
Contact and future updates
The current Node.js security policy can be found at https://nodejs.org/en/security/,including information on how to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list athttps://groups.google.com/forum/#!forum/nodejs-sec to stay up to date onsecurity vulnerabilities and security-related releases of Node.js and theprojects maintained in thenodejs GitHub organization.