How To Update Your Services SmartOS Users New releases of the Node.js packages have been added to the 2016Q1 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-5.12.0.tgz nodejs-4.4.7.tgz nodejs-0.12.15.tgz nodejs-0.10.46.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):

How To Update Your Services Triton Cloud (public cloud) users and Triton Enterprise (on-premises, private cloud) software users Update to the fixed release of the affected versions, as shown in the table below: CVE Version(s) Affected Fixed Release(s) Where Available CVE-2016-2108 OpenSSL 1.0.1, OpenSSL 1.0.2 OpenSSL 1.0.1o, OpenSSL 1.0.2c 2014Q2, 2014Q4 2015Q2 CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176 OpenSSL 1.0.1 OpenSSL 1.

Overview Introduction This notice is to ensure that all Triton Cloud customers, all on-premises operators of Triton Enterprise (formerly SmartDataCenter or SDC) and all open source Triton users are aware of vulnerabilities reported to us by research contributors at Trend Micro’s Zero Day Initiative, and some discovered by our own Engineering team: All necessary fixes have been applied to Triton Cloud (formerly Joyent Public Cloud or JPC). No action is required by Triton Cloud customers.

How To Update Your Services SmartOS Users New releases of the node.js packages have been added to the 2014Q4 and 2015Q4 pkgsrc repositories. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-0.10.42.tgz nodejs-0.12.10.tgz nodejs-4.3.0.tgz nodejs-5.6.0.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):

How To Update Your Services SmartOS Users The new releases referenced in the “Original Notice” section (below) have been added to the 2014Q4 and 2015Q4 pkgsrc repositories. The following latest package releases address the vulnerabilities outlined in this notice: openssl-1.0.1s.tgz (now available in the 2014Q4 pkgsrc repository) openssl-1.0.2g.tgz (now available in the 2015Q4 repository) If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):

Joyent Engineers are aware of the glibc (CVE-2015-7547) security vulnerability believed to be found in all versions of the glibc since 2.9. The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack. For any Joyent customers using glibc in their [Docker containers2], LX zones, or KVM instances, it is advised to update glibc if you are on a vulnerable version.

Overview Please read this first Through HP’s Zero Day Initiative, we have previously been made aware of the three security issues described in this Overview: These vulnerabilities have already been fixed throughout the Joyent Public Cloud. On-premises Triton (SDC7) software customers can mitigate all of these issues by following the (previously-provided) instructions referenced in the Recommendations/Fixes section below. These three vulnerabilities will be announced on Tuesday, 16-February-2016 at Zero Day’s “Upcoming Advisories”.

Overview Two new vulnerabilities in the OpenSSH SSH client (CVE-2016-0777 and CVE-2016-0778) allow a malicious or compromised SSH server to induce the client to leak arbitrary memory (including the client’s private keys), and, in some versions of the client, execute arbitrary code on the client system. The client checks the server’s host keys before reaching the point of vulnerability, so a man-in-the-middle attack is not a realistic vector (unless the server’s host keys have already been disclosed).

SmartOS Users New releases of the node.js packages have been added to the 2014Q4 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-0.12.9.tgz nodejs-4.2.3.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command: pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-0.12.9.tgz pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-4.2.3.tgz You can visit the Node.js website for more information about these vulnerabilities, and the specific releases that have been identified as vulnerable.

SmartOS Users As per the table outlined below, users should update to the fixed release of the affected versions. For users running on the older 1.0.0 or 0.9.8 versions of OpenSSL, you are advised to upgrade to later versions of OpenSSL. CVE Version(s) Affected Fixed Release(s) Where Available (pkgsrc repo) CVE-2015-3193 OpenSSL 1.0.2 OpenSSL 1.0.2e 2015Q3 CVE-2015-3194 OpenSSL 1.0.2, 1.0.1 OpenSSL 1.