OpenSSL Vulnerabilities

On Thu, Jun 12, 2014 at 8:43 AM, Saravanan Subramaniyan <sara1479@gmail.com>
wrote:

Hi All,
Recently OpenSSL released Security Advisory. Please refer below link

http://www.openssl.org/news/secadv_20140605.txt.

We are using postgresql version 9.2.8 which is vulnerable. Is postgresql
planning to release new version which include OpenSSL 1.0.1h?

PostgreSQL itself is not vulnerable, so we will not release a new version.

If you are using the EnterpriseDB graphical installers, they are indeed
bundling the OpenSSL and it at least used to be the vulnerable version.
Unfortunately they don't seem to have information about the updates yet - I
will see if i can ping them about making sure that goes on there. I think
they have already patched it - but it's not confirmed on the website.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

Thanks Magnus. We have removed as well as replaced the OpenSSLlibraries.
The postgresql service is not coming up (SSL is turned off). I thought
OpenSSL is used when we turn on SSL in postgresql.

Thanks
V.S.Saravanan

On Thu, Jun 12, 2014 at 7:56 PM, Magnus Hagander <magnus@hagander.net>
wrote:

On Fri, Jun 13, 2014 at 5:25 AM, Saravanan Subramaniyan <sara1479@gmail.com>
wrote:

Thanks Magnus. We have removed as well as replaced the OpenSSLlibraries.
The postgresql service is not coming up (SSL is turned off). I thought
OpenSSL is used when we turn on SSL in postgresql.

PostgreSQL *uses* OpenSSL, but does not contain it.

PostgreSQL is still linked against openssl, so if you replaced it with an
incompatible version then it would break. But as I said, it depends on your
distribution of PostgreSQL. As long as you use something like RPM or DEB
packaging, that's all taken care of by the operating system and nothing is
bundled by PostgreSQL. If you installed manually from source, for example,
then of course you need to make sure that your updated openssl is
compatible with the old one.

//Magnus

Thanks
V.S.Saravanan

On Thu, Jun 12, 2014 at 7:56 PM, Magnus Hagander <magnus@hagander.net>
wrote:

On Thu, Jun 12, 2014 at 8:43 AM, Saravanan Subramaniyan <
sara1479@gmail.com> wrote:

Hi All,
Recently OpenSSL released Security Advisory. Please refer below link

http://www.openssl.org/news/secadv_20140605.txt.

We are using postgresql version 9.2.8 which is vulnerable. Is postgresql
planning to release new version which include OpenSSL 1.0.1h?

PostgreSQL itself is not vulnerable, so we will not release a new
version.

If you are using the EnterpriseDB graphical installers, they are indeed
bundling the OpenSSL and it at least used to be the vulnerable version.
Unfortunately they don't seem to have information about the updates yet - I
will see if i can ping them about making sure that goes on there. I think
they have already patched it - but it's not confirmed on the website.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

Thanks Magnus. We are using package downloaded from enterprisedb. Thanks
for the clarification.

Regards
V.S.Saravanan
On 13 Jun 2014 15:37, "Magnus Hagander" <magnus@hagander.net> wrote: