/tags/linux/ Recent content in linux on Triton Product Security Hugo -- gohugo.io en-us Thu, 13 Mar 2025 14:37:00 -0400 /tps-2025-002/ Thu, 13 Mar 2025 14:37:00 -0400 /tps-2025-002/ Overview Per today’s email to SmartOS and Triton discussion lists, we are are taking down image 60f76fd2-143f-4f57-819b-1ae32684e81b from our image repository today. That image has pre-generated SSH host keys. Unless an LX zone had regenerated these keys, they are shared across all LX zones running that image. Actions Taken by Us Prior to the aforementioned discovery, we had updated the Debian 12 LX image to 28f872d5-8227-4f7d-b8f6-30bd5db1f1ac (dated 2025-01-20). We have removed image 60f76fd2-143f-4f57-819b-1ae32684e81b (dated 2024-07-06) completely. /tps-2019-002/ Thu, 28 Feb 2019 00:00:00 +0000 /tps-2019-002/ Overview In the process of creating images, some of Joyent’s internal-use SSH public keys were inadvertently left in certain published images. This led to the risk of potential unauthorized access to instances using the affected images. Joyent acknowledges the assistance of an Open Source user in discovering this issue. Background Joyent creates and publishes images to our Triton public cloud. These images are of various operating systems, to be used by customers in creating instances that run on the cloud. /tps-2019-001/ Thu, 14 Feb 2019 00:00:00 +0000 /tps-2019-001/ Overview CVE-2019-5736 has been detected and remediation has been strategized, as detailed here. This vulnerability relies on an unsafe container configuration known as privileged containers. SmartOS is immune to this attack. While Triton and SmartOS implement the same interface as Docker, the runC program that is used on Linux is not used in SmartOS. SmartOS is immune to similar vulnerabilities that may exist in any other program because the SmartOS handles per-zone identity in a stricter fashion than Linux privileged containers. /tps-2017-002/ Thu, 05 Jan 2017 02:37:19 +0000 /tps-2017-002/ Overview This notice is to advise the user groups identified below of CVE-2016-5195, the high-severity “Dirty Cow” vulnerability first announced here (and on other sites) in November 2016. Description This race condition is in mm/gup.c in the Linux kernel 2.x through 4.x (before 4.8.3), and it allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping. The only affected Joyent images are KVM images, so those have been updated accordingly. /tps-2016-010/ Mon, 10 Oct 2016 00:00:00 +0000 /tps-2016-010/ How To Update Your Services SmartOS Users New releases of the Node.js and OpenSSL packages have been added to our pkgsrc repository (see below for specific details). The following latest package releases address the vulnerabilities outlined in this post’s “Original Notice” section: nodejs-6.7.0.tgz (2016Q3) nodejs-4.6.0.tgz (2014Q4, 2015Q4, 2016Q3) nodejs-0.12.16.tgz (2014Q4, 2015Q4, 2016Q3) nodejs-0.10.47.tgz (2014Q4, 2015Q4, 2016Q3) openssl-1.0.2j.tgz (2015Q4, 2016Q3) openssl-1.0.2i.tgz (2015Q4) openssl-1.0.1u.tgz (2014Q4) If you are running on an older SmartOS image that is using a deprecated pkgsrc repository, you may still try installing the correct fixed package by using the following command (NOTE: please test for any potential incompatibilities on a non-production machine prior to trying this): /tps-2016-009/ Sun, 15 May 2016 00:00:00 +0000 /tps-2016-009/ How To Update Your Services SmartOS Users New releases of the Node.js packages have been added to the 2016Q1 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-5.12.0.tgz nodejs-4.4.7.tgz nodejs-0.12.15.tgz nodejs-0.10.46.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine): /tps-2016-008/ Tue, 03 May 2016 00:00:00 +0000 /tps-2016-008/ How To Update Your Services Triton Cloud (public cloud) users and Triton Enterprise (on-premises, private cloud) software users Update to the fixed release of the affected versions, as shown in the table below: CVE Version(s) Affected Fixed Release(s) Where Available CVE-2016-2108 OpenSSL 1.0.1, OpenSSL 1.0.2 OpenSSL 1.0.1o, OpenSSL 1.0.2c 2014Q2, 2014Q4 2015Q2 CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176 OpenSSL 1.0.1 OpenSSL 1.0.2 OpenSSL 1.0.1o OpenSSL 1.0.2h 2014Q4 2015Q4, 2016Q1 You can determine whether OpenSSL is installed (as well as the version you have installed) by running: /tps-2016-006/ Thu, 07 Apr 2016 00:00:00 +0000 /tps-2016-006/ How To Update Your Services SmartOS Users New releases of the node.js packages have been added to the 2014Q4 and 2015Q4 pkgsrc repositories. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-0.10.42.tgz nodejs-0.12.10.tgz nodejs-4.3.0.tgz nodejs-5.6.0.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine): /tps-2016-005/ Thu, 10 Mar 2016 00:00:00 +0000 /tps-2016-005/ How To Update Your Services SmartOS Users The new releases referenced in the “Original Notice” section (below) have been added to the 2014Q4 and 2015Q4 pkgsrc repositories. The following latest package releases address the vulnerabilities outlined in this notice: openssl-1.0.1s.tgz (now available in the 2014Q4 pkgsrc repository) openssl-1.0.2g.tgz (now available in the 2015Q4 repository) If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine): /tps-2016-004/ Tue, 16 Feb 2016 00:00:00 +0000 /tps-2016-004/ Joyent Engineers are aware of the glibc (CVE-2015-7547) security vulnerability believed to be found in all versions of the glibc since 2.9. The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack. For any Joyent customers using glibc in their [Docker containers2], LX zones, or KVM instances, it is advised to update glibc if you are on a vulnerable version. /tps-2016-003/ Sun, 14 Feb 2016 00:00:00 +0000 /tps-2016-003/ Overview Please read this first Through HP’s Zero Day Initiative, we have previously been made aware of the three security issues described in this Overview: These vulnerabilities have already been fixed throughout the Joyent Public Cloud. On-premises Triton (SDC7) software customers can mitigate all of these issues by following the (previously-provided) instructions referenced in the Recommendations/Fixes section below. These three vulnerabilities will be announced on Tuesday, 16-February-2016 at Zero Day’s “Upcoming Advisories”. /tps-2016-002/ Thu, 14 Jan 2016 00:00:00 +0000 /tps-2016-002/ Overview Two new vulnerabilities in the OpenSSH SSH client (CVE-2016-0777 and CVE-2016-0778) allow a malicious or compromised SSH server to induce the client to leak arbitrary memory (including the client’s private keys), and, in some versions of the client, execute arbitrary code on the client system. The client checks the server’s host keys before reaching the point of vulnerability, so a man-in-the-middle attack is not a realistic vector (unless the server’s host keys have already been disclosed). /tps-2016-001/ Sun, 03 Jan 2016 00:00:00 +0000 /tps-2016-001/ SmartOS Users New releases of the node.js packages have been added to the 2014Q4 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-0.12.9.tgz nodejs-4.2.3.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command: pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-0.12.9.tgz pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-4.2.3.tgz You can visit the Node.js website for more information about these vulnerabilities, and the specific releases that have been identified as vulnerable. /tps-2015-007/ Fri, 04 Dec 2015 00:00:00 +0000 /tps-2015-007/ SmartOS Users As per the table outlined below, users should update to the fixed release of the affected versions. For users running on the older 1.0.0 or 0.9.8 versions of OpenSSL, you are advised to upgrade to later versions of OpenSSL. CVE Version(s) Affected Fixed Release(s) Where Available (pkgsrc repo) CVE-2015-3193 OpenSSL 1.0.2 OpenSSL 1.0.2e 2015Q3 CVE-2015-3194 OpenSSL 1.0.2, 1.0.1 OpenSSL 1.0.2e, 1.0.1q 2015Q3, 2014Q4 CVE-2015-3195 OpenSSL 1.0.2, 1.0.1, 1.0.0, 0. /tps-2015-006/ Thu, 03 Dec 2015 00:00:00 +0000 /tps-2015-006/ Introduction This advisory describes the scope of the recently-announced, “high-severity” OpenSSL vulnerability classified as CVE-2015-1793. This vulnerability could allow “man-in-the-middle” attackers to impersonate HTTPS servers and snoop on encrypted traffic. Described in the sections below are actions being taken by Joyent, and actions recommended for customers to take. This article is meant to be used in addition to our 18-June-2015 and 20-March-2015 advisories regarding previously-announced OpenSSL vulnerabilities. Upgrading your own OpenSSL version 1. /tps-2015-004/ Thu, 18 Jun 2015 00:00:00 +0000 /tps-2015-004/ Introduction This advisory describes the scope of the following recently-announced OpenSSL vulnerabilities, including Logjam: CVE-2015-4000 (Logjam) CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1792 CVE-2015-1791 CVE-2014-8176 Described in the sections below are actions being taken by Joyent, and actions recommended for customers to take: We made this advisory public on 18-June-2015. This advisory is meant to be used in addition to our 20-March-2015 article regarding previously-announced OpenSSL vulnerabilities. Upgrading your own OpenSSL version 1.0.1 or 1. /tps-2015-002/ Fri, 20 Mar 2015 00:00:00 +0000 /tps-2015-002/ The following sections describe the scope of several recently-announced Open SSL Vulnerabilities. We have included actions being taken by Joyent, and actions recommended for customers to take. CVEs specific to OpenSSL version 1.0.2 Joyent has never shipped any versions of OpenSSL version 1.0.2 to customers, either in pkgsrc or as part of SmartDataCenter (SDC). If we do ship 1.0.2 versions in the future, they will be those versions known to contain the recent security fixes. /tps-2015-001/ Wed, 28 Jan 2015 00:00:00 +0000 /tps-2015-001/ This notice is to advise Joyent Public Cloud and Smart Data Center customers of the recently identified glibc Linux security issue CVE-2015-0235 (GHOST). This vulnerability can be triggered by the gethostbyname functions, impacting many systems built on Linux. How can you determine whether you are vulnerable? You can scan for this vulnerability using the Qualys Vulnerability Management Cloud Solution as QID 123191. If you think you may be affected, patches are available from all of the Linux vendors starting today.