[OmniOS-discuss] OmniOS OpenSSL 1.0.1g and CVE-2014-0160
Theo Schlossnagle
jesus at omniti.com
Tue Apr 8 01:51:46 UTC 2014
Today was an unfortunate day for the Internet as a particularly devastating
and quite longstanding bug was reveal in OpenSSL 1.0.1.
OmniOS uses OpenSSL 1.0.1 and, like all other distributions (regardless of
operating system) that use OpenSSL 1.0.1, is vulnerable.
While I'd normally link to the CVE directly, there is a particularly well
organized site dedicated to this bug with many reference documents linked
from it. If you are interested in the details of the bug (and if you care
about security, you should be interested), please visit
http://heartbleed.com/
Earlier today we updated our builds to use OpenSSL 1.0.1g which addresses
this particular bug (CVE-2014-0160). We've rerolled and published packages
for all supported OmniOS releases: bloody, r151008 and r151006LTS
The package FMRIs are as follows:
For r151006 LTS:
pkg://omnios/library/security/openssl@1.0.1.7,5.11-0.151006:20140407T211430Z
For r151008:
pkg://omnios/library/security/openssl@1.0.1.7,5.11-0.151008:20140407T220403Z
For bloody:
pkg://omnios/library/security/openssl@1.0.1.7,5.11-0.151009:20140407T211119Z
These packages do not require a new BE or a reboot. You can perform this
upgrade with minimal service interruption. Please update your systems now
and restart any services that link against OpenSSL libraries to arrive at a
safe state.
On a side note. April 7th is National Beer Day and an OmniTI corporate
holiday. We considered this security issue critical enough to stop
drinking beer and dive into providing updates. If we thought this security
issue warranted interruption of our celebration of National Beer Day, you
too should take it very seriously.
Best regards,
Theo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20140407/b7f5dc46/attachment.html>
More information about the OmniOS-discuss
mailing list