Overview Two new vulnerabilities in the OpenSSH SSH client (CVE-2016-0777 and CVE-2016-0778) allow a malicious or compromised SSH server to induce the client to leak arbitrary memory (including the client’s private keys), and, in some versions of the client, execute arbitrary code on the client system. The client checks the server’s host keys before reaching the point of vulnerability, so a man-in-the-middle attack is not a realistic vector (unless the server’s host keys have already been disclosed).
SmartOS Users New releases of the node.js packages have been added to the 2014Q4 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice:
nodejs-0.12.9.tgz nodejs-4.2.3.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command:
pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-0.12.9.tgz pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-4.2.3.tgz You can visit the Node.js website for more information about these vulnerabilities, and the specific releases that have been identified as vulnerable.
SmartOS Users As per the table outlined below, users should update to the fixed release of the affected versions. For users running on the older 1.0.0 or 0.9.8 versions of OpenSSL, you are advised to upgrade to later versions of OpenSSL.
CVE Version(s) Affected Fixed Release(s) Where Available (pkgsrc repo) CVE-2015-3193 OpenSSL 1.0.2 OpenSSL 1.0.2e 2015Q3 CVE-2015-3194 OpenSSL 1.0.2, 1.0.1 OpenSSL 1.
Introduction This advisory describes the scope of the recently-announced, “high-severity” OpenSSL vulnerability classified as CVE-2015-1793. This vulnerability could allow “man-in-the-middle” attackers to impersonate HTTPS servers and snoop on encrypted traffic.
Described in the sections below are actions being taken by Joyent, and actions recommended for customers to take. This article is meant to be used in addition to our 18-June-2015 and 20-March-2015 advisories regarding previously-announced OpenSSL vulnerabilities.
Upgrading your own OpenSSL version 1.
Introduction This advisory describes the scope of the following recently-announced OpenSSL vulnerabilities, including Logjam:
CVE-2015-4000 (Logjam) CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1792 CVE-2015-1791 CVE-2014-8176 Described in the sections below are actions being taken by Joyent, and actions recommended for customers to take:
We made this advisory public on 18-June-2015. This advisory is meant to be used in addition to our 20-March-2015 article regarding previously-announced OpenSSL vulnerabilities. Upgrading your own OpenSSL version 1.
The following sections describe the scope of several recently-announced Open SSL Vulnerabilities. We have included actions being taken by Joyent, and actions recommended for customers to take.
CVEs specific to OpenSSL version 1.0.2 Joyent has never shipped any versions of OpenSSL version 1.0.2 to customers, either in pkgsrc or as part of SmartDataCenter (SDC). If we do ship 1.0.2 versions in the future, they will be those versions known to contain the recent security fixes.
This notice is to advise Joyent Public Cloud and Smart Data Center customers of the recently identified glibc Linux security issue CVE-2015-0235 (GHOST).
This vulnerability can be triggered by the gethostbyname functions, impacting many systems built on Linux.
How can you determine whether you are vulnerable? You can scan for this vulnerability using the Qualys Vulnerability Management Cloud Solution as QID 123191. If you think you may be affected, patches are available from all of the Linux vendors starting today.