The following sections describe the scope of several recently-announced Open SSL Vulnerabilities. We have included actions being taken by Joyent, and actions recommended for customers to take.
CVEs specific to OpenSSL version 1.0.2 Joyent has never shipped any versions of OpenSSL version 1.0.2 to customers, either in pkgsrc or as part of SmartDataCenter (SDC). If we do ship 1.0.2 versions in the future, they will be those versions known to contain the recent security fixes.
This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified bash security vulnerability CVE-2014-6271 (http://seclists.org/oss-sec/2014/q3/649) and the follow-on CVE-2014-7169 (https://access.redhat.com/security/cve/CVE-2014-7169), collectively known as Shellshock.
Note that CVE-2014-7169 has arisen due to incomplete fixes created for the CVE-2014-6271 vulnerability. (These fixes are created by the upstream maintainers of bash, not by Joyent.)
AT THIS TIME, JOYENT has patched the platform bash addressing CVE-2014-6271 as well as CVE-2014-7169 in the Joyent Public Cloud.
