On Tue, Apr 08, 2014 at 10:34:15AM -0500, Jason Lawrence wrote: > I checked this morning and the OpenSSL available via pkgin (2013Q3 on my > hosts) is one of the affected versions. What is the proper way to mitigate > this on SmartOS machines using pkgin?
There are several cases here; please read carefully. These instructions apply to SmartOS. Stay tuned for more formal communication from Joyent regarding the Joyent Public Cloud, node.js, and other services. This notice is provided for informational purposes only as a service to the SmartOS community and does not replace formal notices issued to Joyent customers. 1. If you use the images with their original pkgsrc repositories as intended, check which package repository your image uses by looking at /opt/local/etc/pkgin/repositories.conf. If your repository is any of the following, and you have installed the openssl package using pkgin, you are vulnerable: 2012Q4 2013Q1 2013Q2 2013Q3 2013Q4 2014Q1/master/wip A patch[0] has been prepared and updated packages are being built in the affected repositories. These builds will take a few hours and when they complete, updated packages will be available via pkgin. 2. If you are provisioning new instances, be aware that those instances which have the openssl package installed by default will be vulnerable until new images are spun. Accordingly, until imgadm indicates that newer images are available, you will need to upgrade (or remove) the openssl package via pkgin after provisioning. To do this, utter: pkgin update pkgin install openssl Alternately, you may utter: pkgin full-upgrade 3. If you are using an OpenSSL that was not installed via pkgin, you will need to either obtain a patch and rebuild your OpenSSL from source, or upgrade to OpenSSL 1.0.1g. 4. In all of the above cases, after upgrading, you must restart any TLS servers that may be consuming the OpenSSL libraries in order for the upgrade to take effect. If you are unsure which services are TLS servers, the simplest and safest way to ensure your upgrade takes effect is to reboot your zone. 5. KVM instances must be upgraded according to the instructions provided by your guest OS vendor. 6. The platform contains 2 different versions of OpenSSL libraries; however, SmartOS platform images have not contained OpenSSL headers or compilation symlinks for over a year. Therefore, it is highly unlikely that any TLS servers are running that are linked with either of these libraries. In addition, the only usable platform OpenSSL libraries provided are version 0.9.8, which does not contain this bug. The other version of the libraries delivered *is* vulnerable; however, the platform does not by default run any services that provide TLS using these libraries. Nevertheless, a subsequent SmartOS platform image will have a fix for this bug, either via a patch or by upgrading to 1.0.1g or later. [0] https://github.com/joyent/pkgsrc/commit/fec1169d9884645efbb61399bc618ceec4084b02 ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
