[OmniOS-discuss] SECURITY UPDATE FOR OpenSSL & Perl; plus other fixes

Colin Roche-Dutch colin at omniti.com
Tue Mar 1 19:16:45 UTC 2016


Hello,

The new OpenSSL update to address the DROWN attack is causing issues with
the pkg system, specifically with python due to the SSLv2 removal. Please
DO NOT update to the recently released OpenSSL package yet.

Dan will be sending a follow up email once he has a fix for this in place
that may include additional information. If you have any questions, please
let us know.

-Thanks,
Colin Roche-Dutch

On Tue, Mar 1, 2016 at 1:55 PM, Dan McDonald <danmcd at omniti.com> wrote:

> Please "pkg update" your r151006 (old LTS), r151014 (LTS), or r151016
> (Stable) systems.
>
> All of the aforementioned releases will get new versions of OpenSSL that
> addresses the DROWN attack (CVE-2016-0800), and an update to Perl that
> addresses an environment duplication attack (CVE-2016-2381).
>
> Furthermore, r151014 & r151016 will receive OpenSSH updates that catch it
> up with certain SunSSH features (like GSSAPI support) that are currently in
> bloody.  Also, r151014 will receive small SMF updates to NTP and ISC DHCP
> that enable auto-restart of these services upon any future software updates.
>
> OmniOS bloody will receive a full refresh update within the next 72 hours.
>
> NOTE that SSLv2 and MD2 support are deprecated with this update (OpenSSL
> 1.0.2g for r151014 and later, OpenSSL 1.0.1s for r151006).
>
> Happy patching!
> Dan
>
> p.s. r151006 still gets security updates, but that will stop soon.  I'll
> discuss under a separate email.
>
> _______________________________________________
> OmniOS-discuss mailing list
> OmniOS-discuss at lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20160301/22940594/attachment-0001.html>


More information about the OmniOS-discuss mailing list