TPS-2014-001 OpenSSL Vulnerability CVE-2014-0160 (Heartbleed)

This notice is to advise Joyent Public Cloud and Smart Data Center customers of the recently identified Open SSL security issue openssl CVE-2014-0160 ( and

SmartOS users

If you use the images with their original pkgsrc repositories as intended, check which package repository your image uses by looking at /opt/local/etc/pkgin/repositories.conf.  If your repository is any of the following, and you have installed the openssl package using pkgin, you are vulnerable:

  • 2012Q4
  • 2013Q1
  • 2013Q2
  • 2013Q3
  • 2013Q4

You can check if OpenSSL is installed by running

pkgin ls | grep -i openssl

A patch has been prepared and updated packages have been built and added to the affected repositories as follows. The package name for each is shown alongside the repository name.

Image Version
2012Q4 openssl-1.0.1dnb3
2013Q1  openssl-1.0.1enb1
2013Q2  openssl-1.0.1enb2
2013Q3  openssl-1.0.1enb3
2013Q4  openssl-1.0.1fnb1

Customers can re-install OpenSSL with the following commands:

pkgin -y up && pkgin -y in openssl

Linux Users

Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:

Joyent Manta, CloudAPI, and Portal

Please be assured that the Joyent HTTPS endpoints for Manta, CloudAPI and the portal at were not vulnerable to this issue.

Stingray Users

Stingray instances are NOT affected by this vulnerability.

Node.js Users

Only versions v0.10.0 and v0.10.1 were affected, the latest stable release of v0.10.26 is not affected. None of the releases for v0.8 were affected.