TPS-2016-008 OpenSSL CVE-2016-2108, CVE-2016-2107, Other Vulnerabilities

How To Update Your Services

Triton Cloud (public cloud) users and Triton Enterprise (on-premises, private cloud) software users

Update to the fixed release of the affected versions, as shown in the table below:

CVE Version(s) Affected Fixed Release(s) Where Available
CVE-2016-2108 OpenSSL 1.0.1, OpenSSL 1.0.2 OpenSSL 1.0.1o, OpenSSL 1.0.2c 2014Q2, 2014Q4 2015Q2
CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176 OpenSSL 1.0.1 OpenSSL 1.0.2 OpenSSL 1.0.1o OpenSSL 1.0.2h 2014Q4 2015Q4, 2016Q1

You can determine whether OpenSSL is installed (as well as the version you have installed) by running:

pkgin ls | grep -i openssl

Customers can re-install OpenSSL with the following commands:

pkgin -y up && pkgin -y in openssl

Or, install the version needed (if only available in a different repository), by running:

pkg_add pkgsrc_path_to_package

For example, if you need to install OpenSSL version 1.0.2h from the 2016Q1 repository, but you are running on an image that is using a different repository, you can install the 1.0.2h version by running the following (with the caveat that we strongly suggest you first try this on a non-production machine, to ensure you do not run into any dependency issues):

pkg_add -U

Note: If your current version is 1.0.1 then you can only upgrade to 1.0.1t from the 2014Q4 repository as follows. You cannot upgrade to 1.0.2h

pkg_add -U

Triton Enterprise (formerly SDC 7) software users

The following Triton components have been fixed and are now available from the support channel:

  • sdcadm (upgrade to most recently published 1.11.1 version)
  • adminui (upgrade to release-20160512-20160512T165733Z-g63d9d37)
  • docker (upgrade to release-20160512-20160512T164735Z-gabdb1f1)
  • imgapi (upgrade to release-20160512-20160512T164432Z-g318b58e)
  • gz-tools (upgrade to most recently published 3.0.0 version)
  • Users should also update their boot platform to release-20160428-20160504T174400Z, or newer

For further details on applying updates, you can reference the Triton maintenance and upgrades web page. Should you require any further assistance with your updates to the components above, please contact our Support team by raising a request at the Customer Support portal or emailing

Manta, CloudAPI and Portal

Please be assured that any Joyent components identified as being affected will be updated.

Linux Users

Please check the notices applicable to the Linux distro that you are using:

  • Debian: CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109 and CVE-2016-2176
  • Centos/Red Hat/Fedora: CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109 and CVE-2016-2176
  • Ubuntu: CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109 and CVE-2016-2176

Node.js users

As described in the 6-May-2016 Node.js update found here, the following releases have been made available to include the OpenSSL security updates:

  • Node v6.1.0 (Current)
  • Node v5.11.1
  • Node v4.4.4 (LTS)
  • Node v0.12.14 (Maintenance)
  • Node v0.10.45 (Maintenance)

Please upgrade your Node.js installation as soon as possible.

Open source Triton users

Update boot platform image to: release-20160428-20160504T174400Z

Update adminui, docker, and imgapi to the 20150512* releases.

Direct any further questions to: The SmartOS Community Mailing Lists and IRC

Original Notice

This notice is to provide preliminary advice to all Triton Cloud (public cloud) customers and all Triton Enterprise (formerly SDC 7) software customers of the recently-identified, high-severity OpenSSL security vulnerabilities CVE-2016-2108 and CVE-2016-2107, as well as four low-severity CVEs. Further information regarding these vulnerabilities is available here.

As soon as we can, we will update this notice to confirm the actions taken by Joyent, and to provide specific details of any required actions – such as pkgsrc and software updates – that will need to be taken by both Triton Cloud and Triton Enterprise software customers.

Node users are advised to watch for updates here; any new Node.js releases impacting software will be included in the above-mentioned Joyent pkgsrc and software updates.

Please do not hesitate to contact our Support team (by raising a ticket at the Customer Support portal or by email to if any questions or concerns come up.