diff --git a/locale/en/blog/vulnerability/openssl-and-zlib-vulnerability-assessment.md b/locale/en/blog/vulnerability/openssl-and-zlib-vulnerability-assessment.md new file mode 100644 index 0000000000000..678a3cbebd454 --- /dev/null +++ b/locale/en/blog/vulnerability/openssl-and-zlib-vulnerability-assessment.md @@ -0,0 +1,57 @@ +--- +date: 2022-10-24T20:00:15.000Z +category: vulnerability +title: OpenSSL and zlib update assessment, and Node.js Assessment workflow +slug: openssl-and-zlib-vulnerability-assessment-oct2022 +layout: blog-post.hbs +author: Rafael Gonzaga +--- + +## Summary + +The vulnerability in the OpenSSL Security release of Oct 11 2022 does not affect any active Node.js release lines, as well +as the zlib vulnerability ([CVE-2022-37434][]) patched on the zlib Security release of Oct 13 2022, does not affect Node.js. + +## Analysis OpenSSL + +Our assessment of the [security advisory](https://mta.openssl.org/pipermail/openssl-announce/2022-October/000236.html) is: + +### Using a Custom Cipher with `NID_undef` may lead to NULL encryption (CVE-2022-3358) + +Node.js doesn't call `EVP_CIPHER_meth_new(NID_undef, ...)`. Therefore, Node.js is not affected by this vulnerability. + +## Analysis zlib + +Our assessment of the [CVE-2022-37434][] is: + +### Buffer overflow in inflate via a large gzip header extra field + +Node.js doesn't call `inflateGetHeader`. Therefore, Node.js is not affected by this vulnerability. + +Further information, see: [nodejs-dependency-vuln-assessments#50][]. + +## Node.js Vulnerability Assessment workflow + +The Node.js Security team created an automated workflow that aims to address all the public CVE of Node.js dependencies. + +This initiative aims to reduce the gap between a dependency security release and a Node.js assessment. +The repository is available at [nodejs/nodejs-dependency-vuln-assessments][], and the assessments are made through the +issues. + +Ensure to watch the repository if you are interested in security patches. + +### Contact and future updates + +The current Node.js security policy can be found at , +including information on how to report a vulnerability in Node.js. + +Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at +https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on +security vulnerabilities and security-related releases of Node.js and the +projects maintained in the +[Node.js GitHub organization][]. + +[CVE-2022-37434]: https://nvd.nist.gov/vuln/detail/CVE-2022-37434 +[nodejs-dependency-vuln-assessments#50]: https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/50 +[nodejs/nodejs-dependency-vuln-assessments]: https://github.com/nodejs/nodejs-dependency-vuln-assessments +[Node.js GitHub organization]: https://github.com/nodejs