On 08/25/2016 03:32 PM, Neal Gompa wrote:
That means nodejs, etc. do not use the system openssl libs? How is that
managed? What is the procedure for CVEs, security errata, etc.?
Up until today, Node.js in EPEL 6 and 7 was using the very old 0.10.x series which was
compatible with our system OpenSSL. However, Node.js 4.x and later requires at least
1.0.2... or at least I thought it did until I saw the RDO patch in this thread.
I'm going to explore that option today; it may indeed be the easiest answer.
To answer your question: current versions of Node.js use the system libs, so they're
covered. That being said, Node.js upstream follows the CVE announcements of OpenSSL
closely and regularly releases new versions with those fixes applied. (Not that it matters
in our case).