Comment 11 for bug 1979639

Revision history for this message
David Zuelke (dzuelke) wrote :

So I think a big class of programs to consider that are affected by this potentially are those that use a statically linked OpenSSL v1, not just Node.js or any leftover programs that dynamically link against libssl1.1.

And that's... a lot of software off the internet ;)

If it indeed is the case that OpenSSL falls back to the exact default behavior the current config specifies in its sections if those sections aren't there, then IMO the backport still makes a lot of sense.

Anyway... it appears as though Node.js have fixed this as a side-effect of their recent update: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dll-hijacking-on-windows-high-cve-2022-32223

I was able to verify that the latest 14.20 and 16.16 releases work fine.