TPS-2014-002 OpenSSL Vulnerability CVE-2014-0224 (Heartbleed)

UPDATE as of 8:09am PDT (15:09 UTC) on 21-June-2014 - New fixed OpenSSL package now available in 2013Q2 repository

UPDATE as of 8:30am PDT (15:30 UTC) on 20-June-2014 - See section below regarding 2013Q2 repository

RESOLVED - UPDATE as of 11:30am PDT (18:30 UTC) on 09-June-2014

This notice is to advise Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified Open SSL security issue CVE-2014-0224 (

SmartOS users

If you use the images with their original pkgsrc repositories as intended, check which package repository your image uses by looking at /opt/local/etc/pkgin/repositories.conf. If your repository is any of the following, and you have installed the openssl package using pkgin, you are vulnerable:

  • 2014Q1
  • 2013Q4
  • 2013Q3
  • 2013Q2*
  • 2013Q1
  • 2012Q4

You can determine whether OpenSSL is installed by running:

pkgin ls | grep -i openssl

A patch has been prepared and updated packages have been built and added to the affected repositories. All branches have been upgraded to OpenSSL Version 1.0.1h, except for the 2013Q2 repository - please install:


Customers can re-install OpenSSL with the following commands:

pkgin -y up && pkgin -y in openssl

Linux Users

Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:

Joyent Manta, CloudAPI and Portal

Please be assured that the Joyent HTTPS endpoints for Manta, CloudAPI and the portal at are not vulnerable to this issue.

Stingray Users

Stingray instances are not affected by this vulnerability.