OpenSSL upgrades: January 28th 2016 #4857
Comments
silverwind
added
meta
|
I will be available at that day and make assessment and upgrade if high severity affects Node. |
|
Should I delay this week's stable release until thursday for this? |
mscdex
added
openssl
|
@Fishrock123 / @nodejs/release yes I think best to put off stable until we have this figured out. We discussed this briefly in the LTS call today, given that the 28th is a Thursday and we're unlikely to have it ready to roll the same day we'd be either releasing on Friday or Saturday which is very far from ideal! I'll try and come up with a proposal for a strategy on this today so we can move forward. |
|
Forthcoming openssl-1.0.2f and 1.0.1r raised the minimum DH size of a tls client connection from 768 to 1024 bits. ( openssl/openssl@a4530ce and openssl/openssl@f5fc940 ) |
|
The @nodejs/security team will also be releasing some low-severity fixes related to HTTP processing. Patches are currently under review in our private repository with full disclosure coming at time of release. Given our experience with taking OpenSSL updates and immediately applying them to all release lines on top of our own security patches, and then shipping them all in a roughly synchronised manner, and also taking into account that the two defects in OpenSSL are labelled "high" rather than "critical", I'm proposing that we defer release until Monday, the 1st of February. This way we avoid a scramble that increases the likelihood of a botched release and we don't give users a Friday or weekend release that they need to apply to their production environments. However, we ought to also allow for the possibility that the impact of the OpenSSL defects are closer to "critical" for Node.js users the gap between disclosure and release of 4 days is unacceptable, requiring us to act sooner, possibly on the Friday or even Saturday. We should look to @nodejs/crypto to help us make that call. In accordance with this, below is my proposed post to nodejs-sec and nodejs.org (I won't post an additional issue on GitHub, we'll use this thread). The CVSS score is incorrect, I'll update it when @jasnell, who is handling our fixes, has a chance to come up with it. Further, I propose that we also turn off anonymous access to Jenkins on Friday, restricting it to collaborators and @nodejs/build until release, so that we have the chance to properly put our patches through the system. Please review and comment @nodejs/security, I'll post this within 24 hours unless there are objections. OpenSSL upgrade low-severity Node.js security fixesSummaryThe Node.js project will be releasing new versions across all of its active release lines early next week (possibly sooner, pending full impact assessment) to incorporate upstream patches from OpenSSL and some additional low-severity fixes relating to HTTP handling. Please read on for full details. OpenSSLThe OpenSSL project announced this week that they will be releasing versions 1.0.2f and 1.0.1r on the 28th of January, UTC. The releases will fix two security defects that are labelled as "high" severity under their security policy, meaning they are:
Node.js v0.10 and v0.12 both use OpenSSL v1.0.1 and Node.js v4 and v5 both use OpenSSL v1.0.2 and are normally statically compiled. Therefore, all active release lines are impacted by this update. At this stage, due to embargo, the exact nature of these defects is uncertain as well as the impact they will have on Node.js users. Low-severity Node.js security fixesIn addition, we have some fixes to release relating to Node.js HTTP processing. We categorise these as low-severity and are not aware of any existing exploits leveraging the defects. Full details are embargoed until new releases are available. Common Vulnerability Scoring System (CVSS) v3 Base Score:
Refer to the CVSS v3 Specification for details on the meanings and application of the vector components. ImpactBoth the OpenSSL updates and the Node.js fixes affect all actively maintained release lines of Node.js.
Release timingAs the OpenSSL release is planned for late in the week, we are currently planning on deferring Node.js releases until early next week due to the complexity of the upgrade process and a preference for not releasing security fixes at the end of the work-week or on the weekend. Releases will be available at, or shortly after, Monday the 1st of February, 11pm UTC (Monday the 1st of February, 3pm Pacific Time) along with disclosure of the details defects to allow for complete impact assessment by users. However, when details of the OpenSSL defects are released on the 28th, our crypto team will be making a more detailed assessment on the likely severity for Node.js users. In the event that the team determines that the fixes are critical in nature for Node.js users we may choose to expedite releases for Friday or Saturday in order to ensure that users have the ability to protect their deployments against a disclosed vulnerability. Please monitor the nodejs-sec Google Group for updates, including a decision within 24 hours after the OpenSSL release regarding release timing, and full details of the defects upon eventual release: https://groups.google.com/forum/#!topic/nodejs-sec Contact and future updatesThe current Node.js security policy can be found at https://nodejs.org/en/security/. Please contact [email protected] if you wish to report a vulnerability in Node.js. Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organisation. |
|
The proposed post looks good to me |
|
I'm fine with this. |
|
LGTM |
|
This is a bit of a tangent, but what is our current policy with announcing this to the community via social media? Do we generally hold off until the release is out or do we start getting the word out once this copy is on the blog? |
|
No policy on social media, mostly that's out of our control, even the Posting to nodejs-sec and nodejs.org now. |
|
Updated my post above with the contents of the announcement that's just gone out @ https://groups.google.com/forum/#!topic/nodejs-sec/G8IA0G4uA88 and http://nodejs.org/en/blog/vulnerability/openssl-and-low-severity-fixes-jan-2016/ This is how I'm describing it in twitter-length: https://twitter.com/rvagg/status/692312591901700096 Please promote. |
|
I will be monitoring the issue tracker to the best of my ability, but please ping the @nodejs/docker WG in case of an emergency out-of-schedule release before Monday to make sure this gets in to the official Docker Images as soon as possible |
|
@nodejs/collaborators I've just disabled access to Jenkins for anyone but collaborators, @nodejs/build and libuv. It'll stay this way until after release as we'll be putting some tests through from the private repo where we're testing embargoed patches. It's not likely that you'd be able to see code through this but commit messages are likely to appear in various places. Please keep detailed embargoed. |
|
@nodejs/crypto (and others), here's my proposed update that I'd like to post to nodejs-sec and also append to the post on nodejs.org. Please review and let me know if I'm not making sense. I'd like to get this posted in the next couple of hours so I hope someone's around! OpenSSL Impact AssessmentOpenSSL versions 1.0.1r and 1.0.21 have been released, the announcement can be found here: https://mta.openssl.org/pipermail/openssl-announce/2016-January/000061.html Our team has made an assessment of the impact of the disclosed defects and concluded that there is no urgency in releasing patched versions of Node.js in response to this release. Therefore, we will be proceeding as planned and attempt to release new versions of each of our active release lines on or after DetailsDH small subgroups (CVE-2016-0701) Node.js v0.10 and v0.12 are not affected by this defect. Node.js v4 and v5 use the SSLv2 doesn't block disabled ciphers (CVE-2015-3197) Node.js v0.10 and v0.12 disable SSLv2 by default and are not affected unless the Node.js v4 and v5 do not support SSLv2. An update on DHE man-in-the-middle protection (Logjam) Previous releases of OpenSSL, included since Node.js v0.10.39, v0.12.5 and v4.0.0, mitigated against Logjam for TLS clients by rejecting connections from servers where Diffie-Hellman parameters were shorter than 768-bits. The new OpenSSL releases, for Node.js v0.10, v0.12 and v4, increases this to 1024-bits. Node v5 includes a Note that this item only impacts TLS clients connecting to servers with weak DH parameter lengths. |
One comment is that v5.x has already limits to 1024-bits with a minDHSize option. So
Otherwise, LGTM. |
|
@shigeki ありがとう! Will update and link to https://nodejs.org/api/tls.html#tls_tls_connect_options_callback |
|
Nit: Replace comma with a period/full-stop:
|
|
I've just wrote down a doc manual for upgrading to 1.0.2f in https://github.com/shigeki/node/blob/upgrade_openssl102f/deps/openssl/doc/UPGRADING.md I call for someone volunteers in @nodejs/collaborators to work upgrading openssl-1.0.2f with reviewing this manual. The new release is to be held on Monday so that we have to finish landing this by the time of Sunday, 31 January 2016, 21:00:00 UTC. I will be a reviewer of PR. I would like to ask anyone who can work it through this weekend and is interested in tls/crypto features of Node. |
|
I have some time on Sunday but probably not enough to upgrade all release branches. |
|
@bnoordhuis Thanks, Ben. I'm still waiting for a new comer. If no one hands up, I will ask you on only 1.0.2f for master, 4.x and 5.x. I will work on v0.12 and v0.10 for 1.0.1r on Saturday. |
|
I can likely help with v4.x on Saturday edit: and v5.x as well if it is easy enough |
|
@thealphanerd Thanks. You can work on master at first then can backport to 5.x and 4.x. Please look at the doc and ask me any questions. The command examples in the doc are based on Ubuntu/Linux. What is your platform? |
@nodejs/security
Ref: https://mta.openssl.org/pipermail/openssl-announce/2016-January/000058.html
High severity is defined as:
The last round of updates were also high.
Note that this impacts all our active release lines, v0.10 and v0.12 use 1.0.1 and v4 and v5 use 1.0.2. It's very possible that both of the bugs being fixed don't impact Node.js at all or that our impact assessment is much lower than theirs due to how we are using the particular parts of OpenSSL affected. Therefore, we will have to make an assessment on the urgency of release when we see the details on the 28th. It may be prudent to plan for releases for some or all of our release lines within one or two days of the 28th regardless, in order to give some predictability to users. The only catch here is that we only have two commits queued up for v0.10, a doc fix and a fix to tools/install.py to generate proper header files (a welcome fix). So it's harder to justify a v0.10 release if the OpenSSL fixes turn out to be irrelevant for Node.js. v0.12 has more meaty commits (7), worthy of a stand-alone release.
I'll prepare an announcement for nodejs-sec and nodejs.org and post a draft here but I'd like to hear thoughts on my above point about planning for releases regardless of impact.
The text was updated successfully, but these errors were encountered: