[RESOLVED] OpenSSL Vulnerability CVE-2014-0160 (Heartbleed)

Peter Gale (suspended) -

RESOLVED - UPDATE at 08:45 PST, 15:45 UTC - April 9, 2014


This notice is to advise Joyent Public Cloud and Smart Data Center customers of the recently identified Open SSL security issue openssl CVE-2014-0160 (https://www.openssl.org/news/secadv_20140407.txt and http://heartbleed.com).

SmartOS users

If you use the images with their original pkgsrc repositories as intended, check which package repository your image uses by looking at /opt/local/etc/pkgin/repositories.conf.  If your repository is any of the following, and you have installed the openssl package using pkgin, you are vulnerable:

You can check if OpenSSL is installed by running
 pkgin ls | grep -i openssl
A patch has been prepared and updated packages have been built and added to the affected repositories as follows. The package name for each is shown alongside the repository name.


2012Q4 - openssl-1.0.1dnb3
2013Q1 - openssl-1.0.1enb1
2013Q2 - openssl-1.0.1enb2
2013Q3 - openssl-1.0.1enb3
2013Q4 - openssl-1.0.1fnb1


Customers can re-install OpenSSL with the following commands:
pkgin -y up && pkgin -y in openssl

Linux Users

Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:

Debian: https://www.debian.org/security/2014/dsa-2896
Centos/Red Hat/Fedora: https://rhn.redhat.com/errata/RHSA-2014-0376.html
Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/

Joyent Manta, CloudAPI and Portal

Please be assured that the Joyent HTTPS endpoints for Manta, CloudAPI and the portal at https://my.joyent.com were not vulnerable to this issue.

Stingray Users

Stingray instances are NOT affected by this vulnerability.
Node.js Users

Only versions v0.10.0 and v0.10.1 were affected, the latest stable release of v0.10.26 is not affected. None of the releases for v0.8 were affected.


Peter Gale
Joyent Support


Have more questions? Submit a request


Article is closed for comments.