TPS-2014-004 Bash Vulnerability CVE-2014-6271 & CVE-2014-7169 (Shellshock) - remote code execution through bash

This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified bash security vulnerability CVE-2014-6271 (http://seclists.org/oss-sec/2014/q3/649) and the follow-on CVE-2014-7169 (https://access.redhat.com/security/cve/CVE-2014-7169), collectively known as Shellshock. Note that CVE-2014-7169 has arisen due to incomplete fixes created for the CVE-2014-6271 vulnerability. (These fixes are created by the upstream maintainers of bash, not by Joyent.) AT THIS TIME, JOYENT has patched the platform bash addressing CVE-2014-6271 as well as CVE-2014-7169 in the Joyent Public Cloud.

TPS-2014-003 Important Heartbleed Notice - Action Required

We are posting this information as a follow up to prior notices on the Heartbleed bug to ensure customers have reviewed the suggested steps to identify and remediate any vulnerabilities. Heartbleed is a security vulnerability in the OpenSSL encryption software, which is used by a large portion of the secured websites/systems on the Internet, and may also be used by you in your web sites, and/or applications hosted on the Joyent Cloud platform.

TPS-2014-002 OpenSSL Vulnerability CVE-2014-0224 (Heartbleed)

UPDATE as of 8:09am PDT (15:09 UTC) on 21-June-2014 - New fixed OpenSSL package now available in 2013Q2 repository UPDATE as of 8:30am PDT (15:30 UTC) on 20-June-2014 - See section below regarding 2013Q2 repository RESOLVED - UPDATE as of 11:30am PDT (18:30 UTC) on 09-June-2014 This notice is to advise Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified Open SSL security issue CVE-2014-0224 (https://www.openssl.org/news/secadv_20140605.txt). SmartOS users If you use the images with their original pkgsrc repositories as intended, check which package repository your image uses by looking at /opt/local/etc/pkgin/repositories.

TPS-2014-001 OpenSSL Vulnerability CVE-2014-0160 (Heartbleed)

This notice is to advise Joyent Public Cloud and Smart Data Center customers of the recently identified Open SSL security issue openssl CVE-2014-0160 (https://www.openssl.org/news/secadv_20140407.txt and http://heartbleed.com). SmartOS users If you use the images with their original pkgsrc repositories as intended, check which package repository your image uses by looking at /opt/local/etc/pkgin/repositories.conf. If your repository is any of the following, and you have installed the openssl package using pkgin, you are vulnerable: