blog: add openssl assessment (#6048)

RafaelGSS · mhdawson · web-flow · commit 719d35122e73 · 2023-10-26T21:51:16.000Z
* blog: add openssl assessment

* Apply suggestions from code review

Co-authored-by: Michael Dawson &lt;mdawson@devrus.com&gt;
Signed-off-by: Rafael Gonzaga &lt;rafael.nunu@hotmail.com&gt;

---------

Signed-off-by: Rafael Gonzaga &lt;rafael.nunu@hotmail.com&gt;
Co-authored-by: Michael Dawson &lt;mdawson@devrus.com&gt;
diff --git a/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-oct2023.md b/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-oct2023.md
@@ -0,0 +1,53 @@
+---
+date: 2023-10-25:00:15.000Z
+category: vulnerability
+title: OpenSSL Recent Security Patches
+slug: openssl-fixes-in-regular-releases-oct2023
+layout: blog-post.hbs
+author: Rafael Gonzaga
+---
+
+## Summary
+
+For the vulnerabilities disclosed in the OpenSSL Security Advisories of:
+
+- OpenSSL 3.0.11 - Tuesday 19th September 2023
+- OpenSSL 3.0.12 - Tuesday 24th October 2023
+
+Node.js (Windows) is affected by one vulnerability rated as LOW.
+Therefore, these patches will be released in regular Node.js releases.
+
+## Analysis
+
+Our assessment of the following security advisories:
+
+- [OpenSSL 3.0.11](https://mta.openssl.org/pipermail/openssl-announce/2023-September/000273.html)
+- [OpenSSL 3.0.12](https://mta.openssl.org/pipermail/openssl-announce/2023-October/000282.html)
+
+is:
+
+### POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807) - Low
+
+Node.js is affected by this vulnerability. The CVE-2023-4807
+affects Windows users, and the vulnerability is rated as LOW by the OpenSSL
+Security Team.
+
+### Incorrect cipher key & IV length processing (CVE-2023-5363) - Moderate
+
+Node.js doesn't make use or export `EVP_EncryptInit_ex2()`, `EVP_DecryptInit_ex2()` or
+`EVP_CipherInit_ex2()` functions. Node.js is not affected.
+
+Users who call the affected OpenSSL functions through other means,
+such as through native addons, can dynamically link against a patched version of OpenSSL
+until new releases of Node.js are available.
+
+### Contact and future updates
+
+The current Node.js security policy can be found at <https://github.com/nodejs/node/security/policy#security>,
+including information on how to report a vulnerability in Node.js.
+
+Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at
+https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on
+security vulnerabilities and security-related releases of Node.js and the
+projects maintained in the
+[nodejs GitHub organization](https://github.com/nodejs).
