TPS-2014-002 OpenSSL Vulnerability CVE-2014-0224 (Heartbleed)
UPDATE as of 8:09am PDT (15:09 UTC) on 21-June-2014 - New fixed OpenSSL package now available in 2013Q2 repository
UPDATE as of 8:30am PDT (15:30 UTC) on 20-June-2014 - See section below regarding 2013Q2 repository
RESOLVED - UPDATE as of 11:30am PDT (18:30 UTC) on 09-June-2014
This notice is to advise Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified Open SSL security issue CVE-2014-0224 (https://www.openssl.org/news/secadv_20140605.txt).
SmartOS users
If you use the images with their original pkgsrc repositories as intended,
check which package repository your image uses by looking at
/opt/local/etc/pkgin/repositories.conf. If your repository is any of the
following, and you have installed the openssl package using pkgin, you are
vulnerable:
- 2014Q1
- 2013Q4
- 2013Q3
- 2013Q2*
- 2013Q1
- 2012Q4
You can determine whether OpenSSL is installed by running:
pkgin ls | grep -i openssl
A patch has been prepared and updated packages have been built and added to the
affected repositories. All branches have been upgraded to OpenSSL Version
1.0.1h, except for the 2013Q2 repository - please install:
openssl-1.0.1hnb1.tgz
Customers can re-install OpenSSL with the following commands:
pkgin -y up && pkgin -y in openssl
Linux Users
Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:
- Debian: https://www.debian.org/security/2014/dsa-2950
- Centos/Red Hat/Fedora: https://rhn.redhat.com/errata/RHSA-2014-0631.html
- Ubuntu: http://www.ubuntu.com/usn/usn-2232-1/
Joyent Manta, CloudAPI and Portal
Please be assured that the Joyent HTTPS endpoints for Manta, CloudAPI and the portal at https://my.joyent.com are not vulnerable to this issue.
Stingray Users
Stingray instances are not affected by this vulnerability.