> On 08/25/2016 03:32 PM, Neal Gompa wrote: > > That means nodejs, etc. do not use the system openssl libs? How is that > managed? What is the procedure for CVEs, security errata, etc.?
Up until today, Node.js in EPEL 6 and 7 was using the very old 0.10.x series which was compatible with our system OpenSSL. However, Node.js 4.x and later requires at least 1.0.2... or at least I thought it did until I saw the RDO patch in this thread. I'm going to explore that option today; it may indeed be the easiest answer. To answer your question: current versions of Node.js use the system libs, so they're covered. That being said, Node.js upstream follows the CVE announcements of OpenSSL closely and regularly releases new versions with those fixes applied. (Not that it matters in our case). _______________________________________________ epel-devel mailing list [email protected] https://lists.fedoraproject.org/admin/lists/[email protected]
