Closed puremdq closed 1 year ago
baparham
commented
1 year ago @tmshort Do you have a plan to bump to 3.0.9 soon or should someone take a shot at making a PR rebasing against the upstream 3.0.9?
[edit: I can now see that 3.0.9 isn't released nor tagged upstream yet, so I suppose it makes perfect sense that this hasn't tracked to that change!]
tmshort
commented
1 year ago OpenSSL 3.0.9 doesn't exist yet (has not been announced, has not been tagged), when it is released, QuicTLS will be updated.
FireMasterK
commented
1 year ago OpenSSL 3.1.0 exists now and is tagged, will we be updating to that instead?
baparham
commented
1 year ago Apparently 3.1 is not an LTS branch, so node says they won't be upgrading to it, instead waiting for 3.0.9 when it comes out.
richsalz
commented
1 year ago Our goal is to track the 3.1 and 3.0.x releases. I am closing this issue. Please open a new one if we don't meet the goal.
Recently there are several vulnerabilities reported about openSSL (https://github.com/advisories/GHSA-w2w6-xp88-5cvw, https://github.com/advisories/GHSA-77f3-6546-6rj7, https://github.com/advisories/GHSA-pxvj-4wx4-gv6w), these vulnerabilities are fixed in openSSL 3.0.9, will Node.js consider its openSSL to this version? Thanks.