As per the table outlined below, users should update to the fixed release of the affected versions. For users running on the older 1.0.0 or 0.9.8 versions of OpenSSL, you are advised to upgrade to later versions of OpenSSL.
|CVE||Version(s) Affected||Fixed Release(s)||Where Available (pkgsrc repo)|
|CVE-2015-3193||OpenSSL 1.0.2||OpenSSL 1.0.2e||2015Q3|
|CVE-2015-3194||OpenSSL 1.0.2, 1.0.1||OpenSSL 1.0.2e, 1.0.1q||2015Q3, 2014Q4|
|CVE-2015-3195||OpenSSL 1.0.2, 1.0.1, 1.0.0, 0.9.8||OpenSSL 1.0.2e, 1.0.1q, 1.0.0t, 0.9.8zh||2015Q3, 2014Q4 (only 1.0.2, 1.0.1)|
|CVE-2015-3196||OpenSSL 1.0.2, 1.0.1, 1.0.0||OpenSSL 1.0.2d, 1.0.1p, 1.0.0t||2015Q3, 2014Q4 (only 1.0.2, 1.0.1)|
|CVE-2015-1794||OpenSSL 1.0.2||OpenSSL 1.0.2e||2015Q3|
You can determine whether OpenSSL is installed (as well as the version you have installed) by running:
pkgin ls | grep -i openssl
Customers can re-install OpenSSL with the following commands:
pkgin -y up && pkgin -y in openssl
Or, install the version needed (if only available in a different repository), by running:
For example, if you need to install OpenSSL version 1.0.2e from the 2015Q3 repository, but you are running on an image that is using a different repository, you can install the 1.0.2e version by running:
Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:
- Debian: https://www.debian.org/security/2015/dsa-3413
- Centos/Red Hat/Fedora: https://access.redhat.com/solutions/2076883
- Ubuntu: http://www.ubuntu.com/usn/usn-2830-1/
Joyent Manta, CloudAPI and Portal
Please be assured that any Joyent components identified as being affected will be updated.
Versions v0.10.x through 4.x were affected. It is advised that you update node.js to the latest version releases:
- nodejs-0.10.41 (pending)
- nodejs-0.12.9 (available in 2014Q4 pkgsrc repo, pending availability in 2015* repo’s)
- nodejs-4.2.3 (available in 2014Q4 pkgsrc repo, pending availability in 2015* repo’s)
Please also take note of the most recently announced Node.js vulnerabilities outlined here.
We will continue to update this notice with any new information in due course, so please check back periodically for any new details.
This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified OpenSSL security vulnerabilities CVE-2015-3193, CVE-2015-3194, CVE-2015-3195 and CVE-2015-3196. More information about these vulnerabilities can be reviewed here.
We believe these security vulnerabilities do not pose a significant threat at this time. However, in due course we will update this notice to confirm the actions taken by Joyent, and provide specific details of any required actions that will need to be taken by both JPC and SDC customers.