Heartbleed Impact
We are using postgresql binaries downloaded from here
http://www.enterprisedb.com/products-services-training/pgbindownload
The binaries which are currently at 9.3.3 were updated when the security
vulnerabilities were announced in Feb 2014.
We embed certain binaries and libssl.so.1.0.0 gets shipped along with
pre-build in-house database with product.
Referred this link
http://blog.hagander.net/archives/219-PostgreSQL-and-the-OpenSSL-Heartbleed-vulnerability.htmland
for our database SSL is off:
SSL connection are in OFF.
postgres=# show ssl;
ssl
-----
off
There is a note for the graphical installers but not the same for binaries:
*NOTE:* April 10, 2014: The installers for PostgreSQL 9.3.4-3, 9.2.8-3,
9.1.13-3, 9.0.17-3 and 8.4.21-3 have recently been updated to include a
patch to address CVE-2014-0160, a TLS heartbeat read overrun issue in the
OpenSSL library that is packaged in the installer.
Can you please let us know about the impact in case binaries are being
shipped and SSL is off?
Regards...
Dev Kumkar wrote:
Can you please let us know about the impact in case binaries are being shipped and SSL is off?
Unless somebody changes the setting to ssl=on, there should be no problem.
Yours,
Laurenz Albe
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 16 April 2014 18:48, Dev Kumkar <devdas.kumkar@gmail.com> wrote:
We embed certain binaries and libssl.so.1.0.0 gets shipped along with
pre-build in-house database with product.
1.0.0 isn't affected.
Cheers,
Tony
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
2014-04-16 12:40 keltezéssel, Tony Theodore írta:
On 16 April 2014 18:48, Dev Kumkar <devdas.kumkar@gmail.com> wrote:
We embed certain binaries and libssl.so.1.0.0 gets shipped along with
pre-build in-house database with product.1.0.0 isn't affected.
The package version and the soversion are only loosely related.
E.g .the upstream OpenSSL 1.0.0 and 1.0.1 series both ship soversion 1.0.0.
Best regards,
Zoltán Böszörményi
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 16 April 2014 21:27, Boszormenyi Zoltan <zboszor@pr.hu> wrote:
2014-04-16 12:40 keltezéssel, Tony Theodore írta:
1.0.0 isn't affected.
The package version and the soversion are only loosely related.
E.g .the upstream OpenSSL 1.0.0 and 1.0.1 series both ship soversion 1.0.0.
Good point - thanks!
Tony
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Wed, Apr 16, 2014 at 4:57 PM, Boszormenyi Zoltan <zboszor@pr.hu> wrote:
The package version and the soversion are only loosely related.
E.g .the upstream OpenSSL 1.0.0 and 1.0.1 series both ship soversion 1.0.0.Best regards,
Zoltán Böszörményi
of which OpenSSL package versions' libssl.1.0.0.so is available at
http://www.enterprisedb.com/products-services-training/pgbindownload ?
Regards...
On Wed, Apr 16, 2014 at 3:18 PM, Albe Laurenz <laurenz.albe@wien.gv.at>wrote:
Unless somebody changes the setting to ssl=on, there should be no problem.
Yours,
Laurenz Albe
Thanks also please help to understand - does changing this postgresql.conf
setting enough to be vulnerable here?
Regards...
On Wed, Apr 16, 2014 at 5:28 PM, Dev Kumkar <devdas.kumkar@gmail.com> wrote:
On Wed, Apr 16, 2014 at 4:57 PM, Boszormenyi Zoltan <zboszor@pr.hu> wrote:
The package version and the soversion are only loosely related.
E.g .the upstream OpenSSL 1.0.0 and 1.0.1 series both ship soversion
1.0.0.Best regards,
Zoltán Böszörményiof which OpenSSL package versions' libssl.1.0.0.so is available at
http://www.enterprisedb.com/products-services-training/pgbindownload ?
Ok, looked at the STRINGS versions and the "OpenSSL 1.0.1f 6 Jan 2014" is
seen.
Please let me know if the new binary is uploaded at PG binary download link.
Regards...
Dev Kumkar wrote:
of which OpenSSL package versions' libssl.1.0.0.so is available at
http://www.enterprisedb.com/products-services-training/pgbindownload ?Ok, looked at the STRINGS versions and the "OpenSSL 1.0.1f 6 Jan 2014" is
seen.Please let me know if the new binary is uploaded at PG binary download link.
This is an EnterpriseDB-supplied package. You should talk to them
directly.
--
�lvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Dev Kumkar wrote:
Unless somebody changes the setting to ssl=on, there should be no problem.
Thanks also please help to understand - does changing this postgresql.conf setting enough to be
vulnerable here?
Just changing the setting will only cause your database server to error
out on restart - you also need to create certificates and put them into
the server directory.
So whoever does this change must know what they are doing (to some extent).
Once SSL has been enabled, a cunning attacker may be able to steal
the server's private key (if I understood the vulnerability correctly)
and then launch man-in-the-middle attacks, i.e. impersonate the server,
to eavesdrop on encrypted communication.
The remedy would be to create a new key pair for the server.
Yours,
Laurenz Albe
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
* Alvaro Herrera (alvherre@2ndquadrant.com) wrote:
Dev Kumkar wrote:
of which OpenSSL package versions' libssl.1.0.0.so is available at
http://www.enterprisedb.com/products-services-training/pgbindownload ?Ok, looked at the STRINGS versions and the "OpenSSL 1.0.1f 6 Jan 2014" is
seen.Please let me know if the new binary is uploaded at PG binary download link.
This is an EnterpriseDB-supplied package. You should talk to them
directly.
Yeah, I'm doing that already and they're looking into it right now.
Thanks,
Stephen
On Wed, Apr 16, 2014 at 6:54 PM, Stephen Frost <sfrost@snowman.net> wrote:
Yeah, I'm doing that already and they're looking into it right now.
Thanks,
Stephen
I just downloaded the latest binaries from EnterpriseDB and when checked
with libssl.so.1.0.0 can see this:
OpenSSL 1.0.1g 7 Apr 2014
OpenSSL 1.0.1g is the patched version.
Awaiting confirmation and also please let know if there is certain NOTE or
link which talks about this fix from EnterpriseDB side.
Regards...
* Dev Kumkar (devdas.kumkar@gmail.com) wrote:
I just downloaded the latest binaries from EnterpriseDB and when checked
with libssl.so.1.0.0 can see this:
OpenSSL 1.0.1g 7 Apr 2014OpenSSL 1.0.1g is the patched version.
Yes, checked w/ them and they say it's all patched..
Awaiting confirmation and also please let know if there is certain NOTE or
link which talks about this fix from EnterpriseDB side.
There's a note on the 'installers' page here:
http://www.enterprisedb.com/products-services-training/pgdownload
I believe they're going to add a note to the other page too.
Thanks,
Stephen
On Wed, Apr 16, 2014 at 7:50 PM, Stephen Frost <sfrost@snowman.net> wrote:
* Dev Kumkar (devdas.kumkar@gmail.com) wrote:
I just downloaded the latest binaries from EnterpriseDB and when checked
with libssl.so.1.0.0 can see this:
OpenSSL 1.0.1g 7 Apr 2014OpenSSL 1.0.1g is the patched version.
Yes, checked w/ them and they say it's all patched..
Awaiting confirmation and also please let know if there is certain NOTE
or
link which talks about this fix from EnterpriseDB side.
There's a note on the 'installers' page here:
http://www.enterprisedb.com/products-services-training/pgdownloadI believe they're going to add a note to the other page too.
Thanks,
Stephen
Thanks for the confirmation. Yup checked the NOTE on 'installers' page and
a note on binary page will really help.
Regards...
On Wed, Apr 16, 2014 at 6:49 PM, Albe Laurenz <laurenz.albe@wien.gv.at>wrote:
Dev Kumkar wrote:
Unless somebody changes the setting to ssl=on, there should be no
problem.
Thanks also please help to understand - does changing this
postgresql.conf setting enough to be
vulnerable here?
Just changing the setting will only cause your database server to error
out on restart - you also need to create certificates and put them into
the server directory.So whoever does this change must know what they are doing (to some extent).
Once SSL has been enabled, a cunning attacker may be able to steal
the server's private key (if I understood the vulnerability correctly)
and then launch man-in-the-middle attacks, i.e. impersonate the server,
to eavesdrop on encrypted communication.The remedy would be to create a new key pair for the server.
Yours,
Laurenz Albe
Thanks, this really helps. Currently we are not creating certificate and
working in non SSL mode.
Regards...
Hey,
What is the windows equivalent of libssl.so.1.0.0 ?
Please reply as this is really becoming priority for me.
Regards...
On 4/16/2014 9:38 AM, Dev Kumkar wrote:
What is the windows equivalent of libssl.so.1.0.0 ?
Please reply as this is really becoming priority for me.
windows native stuff uses completely different TLS libraries, SChannel
and stuff. AFAIK, these aren't subject to this bug, which was specific
to OpenSSL 1.0.1x for x=a-f... openssl is only used on windows when
someone uses it explicitly, such as in Cygwin applications, and such.
It *is* used by postgresql under windows as enterpriseDB builds it,
since PG was written to use openssl in the first place.
--
john r pierce 37N 122W
somewhere on the middle of the left coast
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Thu, Apr 17, 2014 at 12:53 AM, John R Pierce <pierce@hogranch.com> wrote:
windows native stuff uses completely different TLS libraries, SChannel and
stuff. AFAIK, these aren't subject to this bug, which was specific to
OpenSSL 1.0.1x for x=a-f... openssl is only used on windows when someone
uses it explicitly, such as in Cygwin applications, and such.It *is* used by postgresql under windows as enterpriseDB builds it, since
PG was written to use openssl in the first place.--
john r pierce 37N 122W
somewhere on the middle of the left coast
So does this mean PostgreSQL binaries available on EnterpriseDB has an
impact for windows ?
Can you help me with the binary name?
Regards...
On 4/16/2014 12:40 PM, Dev Kumkar wrote:
So does this mean PostgreSQL binaries available on EnterpriseDB has an
impact for windows ?
Can you help me with the binary name?
do you enable SSL and expose it to an insecure network ? if not, no
exposure to the heartbleed bug.
AFAIK, the binary name is postgres.exe, from what I've read they are
static linking openssl. the updated versions on the site linked in
another message are fixed per the note on that page.
http://www.enterprisedb.com/products-services-training/pgdownload
--
john r pierce 37N 122W
somewhere on the middle of the left coast
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Thu, Apr 17, 2014 at 1:31 AM, John R Pierce <pierce@hogranch.com> wrote:
do you enable SSL and expose it to an insecure network ? if not, no
exposure to the heartbleed bug.
No, SSL is not enabled in my case but also wanted to make sure there is no
binary available which can later result into any potential issue.
AFAIK, the binary name is postgres.exe, from what I've read they are
static linking openssl. the updated versions on the site linked in another
message are fixed per the note on that page.
http://www.enterprisedb.com/products-services-training/pgdownload
http://www.enterprisedb.com/products-services-training/pgbindownload also
has the note added sometime back.
I was able to verify for Linux binaries looking at STRINGS of so file but
was not sure about the windows side and hence was looking for confirmation.
Regards...
