Due to a merge issue, the openssl-1.0.1h package in SmartOS 13.2.* images (i.e. pkgsrc-2013Q2) is vulnerable to heartbleed. We are in the process of rebuilding the package with a fix, and when it is ready it will be available as openssl-1.0.1hnb1.
In the meantime you can install the openssl-1.0.1h package from 2013Q3 as it is compatible with your installed packages and is not vulnerable.
$ env PKG_PATH=$(awk -F= '{ gsub("Q2", "Q3"); print $2 }' \
/opt/local/etc/pkg_install.conf) pkg_add -U openssl-1.0.1h
then restart any packages using openssl, e.g.
$ svcadm restart apache
In our pkgsrc-2013Q2 repository we had previously added patches to fix the heartbleed problem in earlier releases of OpenSSL. However, when the additional set of CVEs were releases we performed a full update to 1.0.1h to include all the recent CVEs as well as heartbleed from upstream. Unfortunately, due to a merge issue, the patches we had previously added continued to exist in our patch tree.
Ordinarily this wouldn't be an issue, but the patch arguments default to -R which will back-out a patch if it detects that it has already been applied. This had the net effect of unpatching the upstream openssl-1.0.1h heartbleed fixes and exposing the problem.
We will be looking at removing this default, so that reverse-patches are not applied in future.