TPS-2014-001 OpenSSL Vulnerability CVE-2014-0160 (Heartbleed)
This notice is to advise Joyent Public Cloud and Smart Data Center customers of the recently identified Open SSL security issue openssl CVE-2014-0160 (https://www.openssl.org/news/secadv_20140407.txt and http://heartbleed.com).
SmartOS users
If you use the images with their original pkgsrc repositories as
intended, check which package repository your image uses by looking at
/opt/local/etc/pkgin/repositories.conf. If your repository is any of
the following, and you have installed the openssl package using pkgin,
you are vulnerable:
- 2012Q4
- 2013Q1
- 2013Q2
- 2013Q3
- 2013Q4
You can check if OpenSSL is installed by running
pkgin ls | grep -i openssl
A patch has been prepared and updated packages have been built and added to the affected repositories as follows. The package name for each is shown alongside the repository name.
| Image | Version |
|---|---|
| 2012Q4 | openssl-1.0.1dnb3 |
| 2013Q1 | openssl-1.0.1enb1 |
| 2013Q2 | openssl-1.0.1enb2 |
| 2013Q3 | openssl-1.0.1enb3 |
| 2013Q4 | openssl-1.0.1fnb1 |
Customers can re-install OpenSSL with the following commands:
pkgin -y up && pkgin -y in openssl
Linux Users
Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:
- Debian: https://www.debian.org/security/2014/dsa-2896
- Centos/Red Hat/Fedora: https://rhn.redhat.com/errata/RHSA-2014-0376.html
- Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
Joyent Manta, CloudAPI, and Portal
Please be assured that the Joyent HTTPS endpoints for Manta, CloudAPI and the portal at https://my.joyent.com were not vulnerable to this issue.
Stingray Users
Stingray instances are NOT affected by this vulnerability.
Node.js Users
Only versions v0.10.0 and v0.10.1 were affected, the latest stable release of v0.10.26 is not affected. None of the releases for v0.8 were affected.