[NEW UPDATE] OpenSSL Vulnerability CVE-2014-0224

Sean G. -

UPDATE as of 8:09am PDT (15:09 UTC) on 21-June-2014 - New *fixed* OpenSSL package now available in 2013Q2 repository

UPDATE as of 8:30am PDT (15:30 UTC) on 20-June-2014 - See section below regarding 2013Q2 repository

RESOLVED - UPDATE as of 11:30am PDT (18:30 UTC) on 09-June-2014

This notice is to advise Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified Open SSL security issue CVE-2014-0224 (https://www.openssl.org/news/secadv_20140605.txt).

 

SmartOS users

If you use the images with their original pkgsrc repositories as intended, check which package repository your image uses by looking at /opt/local/etc/pkgin/repositories.conf.  If your repository is any of the following, and you have installed the openssl package using pkgin, you are vulnerable:

2014Q1

2013Q4 

2013Q3

2013Q2 *

2013Q1

2012Q4

 

You can determine whether OpenSSL is installed by running: 

 pkgin ls | grep -i openssl

 

A patch has been prepared and updated packages have been built and added to the affected repositories. All branches have been upgraded to OpenSSL Version 1.0.1h, *except for the 2013Q2 repository - please install:

openssl-1.0.1hnb1.tgz  

 

Customers can re-install OpenSSL with the following commands:
pkgin -y up && pkgin -y in openssl

  

Linux Users

Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:

Debian: https://www.debian.org/security/2014/dsa-2950

Centos/Red Hat/Fedora: https://rhn.redhat.com/errata/RHSA-2014-0631.html 

Ubuntu: http://www.ubuntu.com/usn/usn-2232-1/

 

Joyent Manta, CloudAPI and Portal 

Please be assured that the Joyent HTTPS endpoints for Manta, CloudAPI and the portal at https://my.joyent.com are not vulnerable to this issue.

 

Stingray Users

Stingray instances are not affected by this vulnerability.

 

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.