How To Update Your Services
The new releases referenced in the “Original Notice” section (below) have been added to the 2014Q4 and 2015Q4 pkgsrc repositories. The following latest package releases address the vulnerabilities outlined in this notice:
openssl-1.0.1s.tgz (now available in the 2014Q4 pkgsrc repository) openssl-1.0.2g.tgz (now available in the 2015Q4 repository) If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):
Please check the notices applicable to the Linux distro that you are using:
- Debian: CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799 and CVE-2016-0702
- Centos/Red Hat/Fedora: CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, and CVE-2016-0702
- Ubuntu: CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799 and CVE-2016-0702
This notice is to advise all Joyent Public Cloud (JPC) and Triton (formerly known as SDC) customers of the recently-identified OpenSSL security vulnerabilities CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, and CVE-2016-0702.
More information and new updates about these vulnerabilities can be reviewed and monitored [here].
Both our Triton software and Manta services have been assessed, and it has been determined that they are not impacted by these vulnerabilities. However, we will update this notice to confirm when newer releases of both Node and OpenSSL packages are available in our pkgsrc repositories, to to allow users to access the updated release of the affected versions.