**NEW UPDATE (as of 18:00 UTC 8-Dec-2015)**
As per the table outlined below, users should update to the fixed release of the affected versions. For users running on the older 1.0.0 or 0.9.8 versions of OpenSSL, you are advised to upgrade to later versions of OpenSSL.
|CVE||Version(s) Affected||Fixed Release(s)||Where Available (pkgsrc repo)|
|CVE-2015-3193||OpenSSL 1.0.2||OpenSSL 1.0.2e||2015Q3|
|CVE-2015-3194||OpenSSL 1.0.2, 1.0.1||OpenSSL 1.0.2e, 1.0.1q||2015Q3, 2014Q4|
|CVE-2015-3195||OpenSSL 1.0.2, 1.0.1, 1.0.0, 0.9.8||OpenSSL 1.0.2e, 1.0.1q, 1.0.0t, 0.9.8zh||2015Q3, 2014Q4 (only 1.0.2, 1.0.1)|
|CVE-2015-3196||OpenSSL 1.0.2, 1.0.1, 1.0.0||OpenSSL 1.0.2d, 1.0.1p, 1.0.0t||2015Q3, 2014Q4 (only 1.0.2, 1.0.1)|
|CVE-2015-1794||OpenSSL 1.0.2||OpenSSL 1.0.2e||2015Q3|
You can determine whether OpenSSL is installed (as well as the version you have installed) by running:
$ pkgin ls | grep -i openssl
$ pkgin -y up && pkgin -y in openssl
Or, install the version needed (if only available in a different repository), by running:
$ pkg_add pkgsrc_path_to_package
For example, if you need to install OpenSSL version 1.0.2e from the 2015Q3 repository, but you are running on an image that is using a different repository, you can install the 1.0.2e version by running:
$ pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2015Q3/x86_64/All/openssl-1.0.2e.tgz
Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:
Centos/Red Hat/Fedora: https://access.redhat.com/solutions/2076883
Joyent Manta, CloudAPI and PortalPlease be assured that any Joyent components identified as being affected will be updated.
- nodejs-0.10.41 (pending)
- nodejs-0.12.9 (available in 2014Q4 pkgsrc repo, pending availability in 2015* repo's)
- nodejs-4.2.3 (available in 2014Q4 pkgsrc repo, pending availability in 2015* repo's)
Please also take note of the most recently announced Node.js vulnerabilities outlined here.
We will continue to update this notice with any new information in due course, so please check back periodically for any new details.
This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified OpenSSL security vulnerabilities CVE-2015-3193, CVE-2015-3194, CVE-2015-3195 and CVE-2015-3196. More information about these vulnerabilities can be reviewed here.
We believe these security vulnerabilities do not pose a significant threat at this time. However, in due course we will update this notice to confirm the actions taken by Joyent, and provide specific details of any required actions that will need to be taken by both JPC and SDC customers.