Re: OpenSSL Vulnerability in pgAdmin III

Поиск
Список
Период
Сортировка
От Sathesh S
Тема Re: OpenSSL Vulnerability in pgAdmin III
Дата
Msg-id AM5PR10MB0689784C98A1A0EB3E05B46382A10@AM5PR10MB0689.EURPRD10.PROD.OUTLOOK.COM
обсуждение исходный текст
Ответ на Re: OpenSSL Vulnerability in pgAdmin III  (Dave Page <dpage@pgadmin.org>)
Ответы Re: OpenSSL Vulnerability in pgAdmin III  (Sathesh S <sathesh.sundaram@hotmail.com>)
Список pgadmin-support
Дерево обсуждения

Thanks Dave, it will be wonderful to have a updated final release.

Thanks,
Sathesh



On Tue, Nov 1, 2016 at 2:36 PM +0530, "Dave Page" <dpage@pgadmin.org> wrote:

Hi

Based on feedback from existing users, I'm currently thinking I'll do a final wrap-up release of community pgAdmin III next week (after PGConf.EU). This will include the latest OpenSSL release.

On Tuesday, November 1, 2016, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:

Hi Ben,

 

Thanks for the information. I tried to install pgAdmin3 LTS version in my laptop but looks like there is no option to install it without installing PGC, even after installing PGC I’m not to install pgAdmin3 as the package is not available.

 

If you have installed it, can you please tell what version of OpenSSL is used by pgAdmin3 LTS.

 

Also, it would be helpful if you can advice on copying OpenSSL file from pgAdmin IV to pgAdmin III (question in my previous email)

 

Thanks,

Sathesh

 

 

From: Ben Trewern
Sent: Monday, October 31, 2016 5:43 PM
To: Sathesh S
Cc: pgadmin-support@postgresql.org
Subject: Re: [pgadmin-support] OpenSSL Vulnerability in pgAdmin III

 

Hi,

For pgAdmin III it might be worth looking at http://www.bigsql.org/pgadmin3/.  They are looking at updating and supporting pgAdmin III for a while longer.

Regards,

Ben


On 31 Oct 2016, at 04:43, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:

 
Hello All,
 
We use pgAdmin III to connect to Greenplum database. We had recently found out from our vulnerability team that pgAdmin III uses OpenSSL version before 1.0.2h which has the below vulnerability.
 
OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3 is using a vulnerable version of OpenSSL.
 
The latest version in pgAdmin III is v1.22 and it is using OpenSSL version 1.0.2f.
 
Below is the info related to the vulnerability: 
Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
 
Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable to use pgAdmin IV because it is having issues connection to Greenplum (it gives below error)
 
ERROR: unrecognized configuration parameter "bytea_output"
 
Can you please help with my below questions:
 
1.       I  understand that pgAdmin III is not supported anymore, but because pgAdmin IV is relatively new and lot of people would be still using pgAdmin III, will a updated version of pgAdmin III released with latest version of OpenSSL be released?
 
2.       Can end users update the OpenSSL version themselves? I mean – Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin III v1.22.
Is this workaround okay/allowed?
Will this workaround create any issues in pgAdmin III?
 
Please help, thanks in advance.
 
Thanks,
Sathesh



--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

В списке pgadmin-support по дате отправления:

Предыдущее
От: Dave Page
Дата:
Сообщение: Re: OpenSSL Vulnerability in pgAdmin III
Следующее
От: Mark Murawski
Дата:
Сообщение: Re: Can't install pgadmin4 on linux (flask required)