[UPDATED] OpenSSL Security Advisory (3-Dec-2015)

Elizabeth -

**NEW UPDATE (as of 18:00 UTC 8-Dec-2015)**

SmartOS Users

As per the table outlined below, users should update to the fixed release of the affected versions. For users running on the older 1.0.0 or 0.9.8 versions of OpenSSL, you are advised to upgrade to later versions of OpenSSL.

CVE Version(s) Affected Fixed Release(s) Where Available (pkgsrc repo)
CVE-2015-3193 OpenSSL 1.0.2 OpenSSL 1.0.2e 2015Q3
CVE-2015-3194 OpenSSL 1.0.2, 1.0.1 OpenSSL 1.0.2e, 1.0.1q 2015Q3, 2014Q4
CVE-2015-3195 OpenSSL 1.0.2, 1.0.1, 1.0.0, 0.9.8 OpenSSL 1.0.2e, 1.0.1q, 1.0.0t, 0.9.8zh 2015Q3, 2014Q4 (only 1.0.2, 1.0.1)
CVE-2015-3196 OpenSSL 1.0.2, 1.0.1, 1.0.0 OpenSSL 1.0.2d, 1.0.1p, 1.0.0t 2015Q3, 2014Q4 (only 1.0.2, 1.0.1)
CVE-2015-1794 OpenSSL 1.0.2 OpenSSL 1.0.2e 2015Q3

 

You can determine whether OpenSSL is installed (as well as the version you have installed) by running: 

$ pkgin ls | grep -i openssl

 

Customers can re-install OpenSSL with the following commands:
$ pkgin -y up && pkgin -y in openssl

 

Or, install the version needed (if only available in a different repository), by running:

 $ pkg_add pkgsrc_path_to_package

 

For example, if you need to install OpenSSL version 1.0.2e from the 2015Q3 repository, but you are running on an image that is using a different repository, you can install the 1.0.2e version by running:

$ pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2015Q3/x86_64/All/openssl-1.0.2e.tgz

 

Linux Users

Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:

Debian: https://www.debian.org/security/2015/dsa-3413

Centos/Red Hat/Fedora: https://access.redhat.com/solutions/2076883

Ubuntu: http://www.ubuntu.com/usn/usn-2830-1/

 

Joyent Manta, CloudAPI and Portal

Please be assured that any Joyent components identified as being affected will be updated.
 

Node.js Users

Versions v0.10.x through 4.x were affected. It is advised that you update node.js to the latest version releases:
  • nodejs-0.10.41 (pending)
  • nodejs-0.12.9 (available in 2014Q4 pkgsrc repo, pending availability in 2015* repo's)
  • nodejs-4.2.3 (available in 2014Q4 pkgsrc repo, pending availability in 2015* repo's)

Please also take note of the most recently announced Node.js vulnerabilities outlined here.

We will continue to update this notice with any new information in due course, so please check back periodically for any new details.

ORIGINAL NOTICE:

This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified OpenSSL security vulnerabilities CVE-2015-3193, CVE-2015-3194, CVE-2015-3195 and CVE-2015-3196. More information about these vulnerabilities can be reviewed here.

We believe these security vulnerabilities do not pose a significant threat at this time. However, in due course we will update this notice to confirm the actions taken by Joyent, and provide specific details of any required actions that will need to be taken by both JPC and SDC customers.

At any time, please do not hesitate to contact our Support team (by raising a ticket at https://help.joyent.com or by email to support@joyent.com) if you have any questions or concerns.

Have more questions? Submit a request

0 Comments

Article is closed for comments.