Closed puremdq closed 1 year ago
@tmshort Do you have a plan to bump to 3.0.9 soon or should someone take a shot at making a PR rebasing against the upstream 3.0.9?
[edit: I can now see that 3.0.9 isn't released nor tagged upstream yet, so I suppose it makes perfect sense that this hasn't tracked to that change!]
OpenSSL 3.0.9 doesn't exist yet (has not been announced, has not been tagged), when it is released, QuicTLS will be updated.
OpenSSL 3.1.0 exists now and is tagged, will we be updating to that instead?
Apparently 3.1 is not an LTS branch, so node says they won't be upgrading to it, instead waiting for 3.0.9 when it comes out.
Our goal is to track the 3.1 and 3.0.x releases. I am closing this issue. Please open a new one if we don't meet the goal.
Recently there are several vulnerabilities reported about openSSL (https://github.com/advisories/GHSA-w2w6-xp88-5cvw, https://github.com/advisories/GHSA-77f3-6546-6rj7, https://github.com/advisories/GHSA-pxvj-4wx4-gv6w), these vulnerabilities are fixed in openSSL 3.0.9, will Node.js consider its openSSL to this version? Thanks.