[Question] Will upgrade openSSL to 3.0.9? #47443

[puremdq]

Recently there are several vulnerabilities reported about openSSL (GHSA-w2w6-xp88-5cvw, GHSA-77f3-6546-6rj7, GHSA-pxvj-4wx4-gv6w), these vulnerabilities are fixed in openSSL 3.0.9, will Node.js consider its openSSL to this version? Thanks.

[baparham]

@tmshort Do you have a plan to bump to 3.0.9 soon or should someone take a shot at making a PR rebasing against the upstream 3.0.9?

[edit: I can now see that 3.0.9 isn't released nor tagged upstream yet, so I suppose it makes perfect sense that this hasn't tracked to that change!]

[tmshort]

OpenSSL 3.0.9 doesn't exist yet (has not been announced, has not been tagged), when it is released, QuicTLS will be updated.

[FireMasterK]

OpenSSL 3.1.0 exists now and is tagged, will we be updating to that instead?

[baparham]

Apparently 3.1 is not an LTS branch, so node says they won't be upgrading to it, instead waiting for 3.0.9 when it comes out.

[richsalz]

Our goal is to track the 3.1 and 3.0.x releases. I am closing this issue. Please open a new one if we don't meet the goal.