pkgsrc

TPS-2024-001 SmartOS / Triton not affected by CVE-2024-3094

Overview Recently a back door was discovered in the xz-utils software. This appears to have been introduced by a malicious party with ownership access to the repository. The back door targets Linux systems running OpenSSH and systemd when xz is at version 5.6.0 or 5.6.1. At the current time we have high confidence that the back door does not work on SmartOS. Linux binaries running in lx-brand zones may still be affected.

TPS-2016-010 OpenSSL High-Severity CVE-2016-6304 / Node.js CVE-2016-7099 and Other Vulnerabilities

How To Update Your Services SmartOS Users New releases of the Node.js and OpenSSL packages have been added to our pkgsrc repository (see below for specific details). The following latest package releases address the vulnerabilities outlined in this post’s “Original Notice” section: nodejs-6.7.0.tgz (2016Q3) nodejs-4.6.0.tgz (2014Q4, 2015Q4, 2016Q3) nodejs-0.12.16.tgz (2014Q4, 2015Q4, 2016Q3) nodejs-0.10.47.tgz (2014Q4, 2015Q4, 2016Q3) openssl-1.0.2j.tgz (2015Q4, 2016Q3) openssl-1.0.2i.tgz (2015Q4) openssl-1.0.1u.tgz (2014Q4) If you are running on an older SmartOS image that is using a deprecated pkgsrc repository, you may still try installing the correct fixed package by using the following command (NOTE: please test for any potential incompatibilities on a non-production machine prior to trying this):

TPS-2016-009 Node.js Vulnerabilities CVE-2016-1669 and CVE-2014-9748

How To Update Your Services SmartOS Users New releases of the Node.js packages have been added to the 2016Q1 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-5.12.0.tgz nodejs-4.4.7.tgz nodejs-0.12.15.tgz nodejs-0.10.46.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):

TPS-2016-008 OpenSSL CVE-2016-2108, CVE-2016-2107, Other Vulnerabilities

How To Update Your Services Triton Cloud (public cloud) users and Triton Enterprise (on-premises, private cloud) software users Update to the fixed release of the affected versions, as shown in the table below: CVE Version(s) Affected Fixed Release(s) Where Available CVE-2016-2108 OpenSSL 1.0.1, OpenSSL 1.0.2 OpenSSL 1.0.1o, OpenSSL 1.0.2c 2014Q2, 2014Q4 2015Q2 CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176 OpenSSL 1.0.1 OpenSSL 1.

TPS-2015-005 Vulnerability in Node.js 0.11.x thru 0.12.5

Summary Vulnerability in Node.js 0.11.x thru 0.12.5 – this issue is resolved as follows in Node.js version 0.12.6: Fixed an out-of-band write in utf8 decoder. Impacts all Buffer to String conversions. This is an important security update as it can be used to cause a denial of service attack. Status pkgsrc 2014Q4 and 2015Q1 have been updated with nodejs-0.12.6. Customers can upgrade as follows: pkgin up pkgin upgrade nodejs If you have any questions regarding this issue, please contact Joyent Support by creating a ticket at https://help.

TPS-2014-004 Bash Vulnerability CVE-2014-6271 & CVE-2014-7169 (Shellshock) - remote code execution through bash

This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified bash security vulnerability CVE-2014-6271 (http://seclists.org/oss-sec/2014/q3/649) and the follow-on CVE-2014-7169 (https://access.redhat.com/security/cve/CVE-2014-7169), collectively known as Shellshock. Note that CVE-2014-7169 has arisen due to incomplete fixes created for the CVE-2014-6271 vulnerability. (These fixes are created by the upstream maintainers of bash, not by Joyent.) AT THIS TIME, JOYENT has patched the platform bash addressing CVE-2014-6271 as well as CVE-2014-7169 in the Joyent Public Cloud.

TPS-2014-003 Important Heartbleed Notice - Action Required

We are posting this information as a follow up to prior notices on the Heartbleed bug to ensure customers have reviewed the suggested steps to identify and remediate any vulnerabilities. Heartbleed is a security vulnerability in the OpenSSL encryption software, which is used by a large portion of the secured websites/systems on the Internet, and may also be used by you in your web sites, and/or applications hosted on the Joyent Cloud platform.

TPS-2014-002 OpenSSL Vulnerability CVE-2014-0224 (Heartbleed)

UPDATE as of 8:09am PDT (15:09 UTC) on 21-June-2014 - New fixed OpenSSL package now available in 2013Q2 repository UPDATE as of 8:30am PDT (15:30 UTC) on 20-June-2014 - See section below regarding 2013Q2 repository RESOLVED - UPDATE as of 11:30am PDT (18:30 UTC) on 09-June-2014 This notice is to advise Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified Open SSL security issue CVE-2014-0224 (https://www.openssl.org/news/secadv_20140605.txt). SmartOS users If you use the images with their original pkgsrc repositories as intended, check which package repository your image uses by looking at /opt/local/etc/pkgin/repositories.

TPS-2014-001 OpenSSL Vulnerability CVE-2014-0160 (Heartbleed)

This notice is to advise Joyent Public Cloud and Smart Data Center customers of the recently identified Open SSL security issue openssl CVE-2014-0160 (https://www.openssl.org/news/secadv_20140407.txt and http://heartbleed.com). SmartOS users If you use the images with their original pkgsrc repositories as intended, check which package repository your image uses by looking at /opt/local/etc/pkgin/repositories.conf. If your repository is any of the following, and you have installed the openssl package using pkgin, you are vulnerable: