How To Update Your Services SmartOS Users New releases of the node.js packages have been added to the 2014Q4 and 2015Q4 pkgsrc repositories. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-0.10.42.tgz nodejs-0.12.10.tgz nodejs-4.3.0.tgz nodejs-5.6.0.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):

How To Update Your Services SmartOS Users The new releases referenced in the “Original Notice” section (below) have been added to the 2014Q4 and 2015Q4 pkgsrc repositories. The following latest package releases address the vulnerabilities outlined in this notice: openssl-1.0.1s.tgz (now available in the 2014Q4 pkgsrc repository) openssl-1.0.2g.tgz (now available in the 2015Q4 repository) If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):

Joyent Engineers are aware of the glibc (CVE-2015-7547) security vulnerability believed to be found in all versions of the glibc since 2.9. The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack. For any Joyent customers using glibc in their [Docker containers2], LX zones, or KVM instances, it is advised to update glibc if you are on a vulnerable version.

Overview Please read this first Through HP’s Zero Day Initiative, we have previously been made aware of the three security issues described in this Overview: These vulnerabilities have already been fixed throughout the Joyent Public Cloud. On-premises Triton (SDC7) software customers can mitigate all of these issues by following the (previously-provided) instructions referenced in the Recommendations/Fixes section below. These three vulnerabilities will be announced on Tuesday, 16-February-2016 at Zero Day’s “Upcoming Advisories”.

Overview Two new vulnerabilities in the OpenSSH SSH client (CVE-2016-0777 and CVE-2016-0778) allow a malicious or compromised SSH server to induce the client to leak arbitrary memory (including the client’s private keys), and, in some versions of the client, execute arbitrary code on the client system. The client checks the server’s host keys before reaching the point of vulnerability, so a man-in-the-middle attack is not a realistic vector (unless the server’s host keys have already been disclosed).

SmartOS Users New releases of the node.js packages have been added to the 2014Q4 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-0.12.9.tgz nodejs-4.2.3.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command: pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-0.12.9.tgz pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-4.2.3.tgz You can visit the Node.js website for more information about these vulnerabilities, and the specific releases that have been identified as vulnerable.

SmartOS Users As per the table outlined below, users should update to the fixed release of the affected versions. For users running on the older 1.0.0 or 0.9.8 versions of OpenSSL, you are advised to upgrade to later versions of OpenSSL. CVE Version(s) Affected Fixed Release(s) Where Available (pkgsrc repo) CVE-2015-3193 OpenSSL 1.0.2 OpenSSL 1.0.2e 2015Q3 CVE-2015-3194 OpenSSL 1.0.2, 1.0.1 OpenSSL 1.0.2e, 1.0.1q 2015Q3, 2014Q4 CVE-2015-3195 OpenSSL 1.0.2, 1.0.1, 1.0.0, 0.

Introduction This advisory describes the scope of the recently-announced, “high-severity” OpenSSL vulnerability classified as CVE-2015-1793. This vulnerability could allow “man-in-the-middle” attackers to impersonate HTTPS servers and snoop on encrypted traffic. Described in the sections below are actions being taken by Joyent, and actions recommended for customers to take. This article is meant to be used in addition to our 18-June-2015 and 20-March-2015 advisories regarding previously-announced OpenSSL vulnerabilities. Upgrading your own OpenSSL version 1.

Summary Vulnerability in Node.js 0.11.x thru 0.12.5 – this issue is resolved as follows in Node.js version 0.12.6: Fixed an out-of-band write in utf8 decoder. Impacts all Buffer to String conversions. This is an important security update as it can be used to cause a denial of service attack. Status pkgsrc 2014Q4 and 2015Q1 have been updated with nodejs-0.12.6. Customers can upgrade as follows: pkgin up pkgin upgrade nodejs If you have any questions regarding this issue, please contact Joyent Support by creating a ticket at https://help.

Introduction This advisory describes the scope of the following recently-announced OpenSSL vulnerabilities, including Logjam: CVE-2015-4000 (Logjam) CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1792 CVE-2015-1791 CVE-2014-8176 Described in the sections below are actions being taken by Joyent, and actions recommended for customers to take: We made this advisory public on 18-June-2015. This advisory is meant to be used in addition to our 20-March-2015 article regarding previously-announced OpenSSL vulnerabilities. Upgrading your own OpenSSL version 1.0.1 or 1.