UPDATE as of 8:09am PDT (15:09 UTC) on 21-June-2014 - New *fixed* OpenSSL package now available in 2013Q2 repository
UPDATE as of 8:30am PDT (15:30 UTC) on 20-June-2014 - See section below regarding 2013Q2 repository
RESOLVED - UPDATE as of 11:30am PDT (18:30 UTC) on 09-June-2014
This notice is to advise Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified Open SSL security issue CVE-2014-0224 (https://www.openssl.org/news/secadv_20140605.txt).
If you use the images with their original pkgsrc repositories as intended, check which package repository your image uses by looking at /opt/local/etc/pkgin/repositories.conf. If your repository is any of the following, and you have installed the openssl package using pkgin, you are vulnerable:
You can determine whether OpenSSL is installed by running:
pkgin ls | grep -i openssl
A patch has been prepared and updated packages have been built and added to the affected repositories. All branches have been upgraded to OpenSSL Version 1.0.1h, *except for the 2013Q2 repository - please install:
pkgin -y up && pkgin -y in openssl
Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:
Centos/Red Hat/Fedora: https://rhn.redhat.com/errata/RHSA-2014-0631.html
Joyent Manta, CloudAPI and Portal
Please be assured that the Joyent HTTPS endpoints for Manta, CloudAPI and the portal at https://my.joyent.com are not vulnerable to this issue.
Stingray instances are not affected by this vulnerability.