Обсуждение: Heartbleed Impact
We are using postgresql binaries downloaded from here
http://www.enterprisedb.com/products-services-training/pgbindownload
http://www.enterprisedb.com/products-services-training/pgbindownload
The binaries which are currently at 9.3.3 were updated when the security vulnerabilities were announced in Feb 2014.
We embed certain binaries and libssl.so.1.0.0 gets shipped along with pre-build in-house database with product.
Referred this link http://blog.hagander.net/archives/219-PostgreSQL-and-the-OpenSSL-Heartbleed-vulnerability.html and for our database SSL is off:
SSL connection are in OFF.
NOTE: April 10, 2014: The installers for PostgreSQL 9.3.4-3, 9.2.8-3, 9.1.13-3, 9.0.17-3 and 8.4.21-3 have recently been updated to include a patch to address CVE-2014-0160, a TLS heartbeat read overrun issue in the OpenSSL library that is packaged in the installer.
SSL connection are in OFF.
There is a note for the graphical installers but not the same for binaries:postgres=# show ssl;
ssl
-----
off
NOTE: April 10, 2014: The installers for PostgreSQL 9.3.4-3, 9.2.8-3, 9.1.13-3, 9.0.17-3 and 8.4.21-3 have recently been updated to include a patch to address CVE-2014-0160, a TLS heartbeat read overrun issue in the OpenSSL library that is packaged in the installer.
Can you please let us know about the impact in case binaries are being shipped and SSL is off?
Regards...
Dev Kumkar wrote: > Can you please let us know about the impact in case binaries are being shipped and SSL is off? Unless somebody changes the setting to ssl=on, there should be no problem. Yours, Laurenz Albe
On 16 April 2014 18:48, Dev Kumkar <devdas.kumkar@gmail.com> wrote: > We embed certain binaries and libssl.so.1.0.0 gets shipped along with > pre-build in-house database with product. 1.0.0 isn't affected. Cheers, Tony
2014-04-16 12:40 keltezéssel, Tony Theodore írta: > On 16 April 2014 18:48, Dev Kumkar <devdas.kumkar@gmail.com> wrote: > >> We embed certain binaries and libssl.so.1.0.0 gets shipped along with >> pre-build in-house database with product. > 1.0.0 isn't affected. The package version and the soversion are only loosely related. E.g .the upstream OpenSSL 1.0.0 and 1.0.1 series both ship soversion 1.0.0. Best regards, Zoltán Böszörményi
On 16 April 2014 21:27, Boszormenyi Zoltan <zboszor@pr.hu> wrote: > 2014-04-16 12:40 keltezéssel, Tony Theodore írta: >> 1.0.0 isn't affected. > > > The package version and the soversion are only loosely related. > E.g .the upstream OpenSSL 1.0.0 and 1.0.1 series both ship soversion 1.0.0. Good point - thanks! Tony
On Wed, Apr 16, 2014 at 4:57 PM, Boszormenyi Zoltan <zboszor@pr.hu> wrote:
The package version and the soversion are only loosely related.
E.g .the upstream OpenSSL 1.0.0 and 1.0.1 series both ship soversion 1.0.0.
Best regards,
Zoltán Böszörményi
of which OpenSSL package versions' libssl.1.0.0.so is available at http://www.enterprisedb.com/products-services-training/pgbindownload ?
Regards...
On Wed, Apr 16, 2014 at 3:18 PM, Albe Laurenz <laurenz.albe@wien.gv.at> wrote:
Unless somebody changes the setting to ssl=on, there should be no problem.
Yours,
Laurenz Albe
Thanks also please help to understand - does changing this postgresql.conf setting enough to be vulnerable here?
Regards...
On Wed, Apr 16, 2014 at 5:28 PM, Dev Kumkar <devdas.kumkar@gmail.com> wrote:
Ok, looked at the STRINGS versions and the "OpenSSL 1.0.1f 6 Jan 2014" is seen.
On Wed, Apr 16, 2014 at 4:57 PM, Boszormenyi Zoltan <zboszor@pr.hu> wrote:The package version and the soversion are only loosely related.
E.g .the upstream OpenSSL 1.0.0 and 1.0.1 series both ship soversion 1.0.0.
Best regards,
Zoltán Böszörményiof which OpenSSL package versions' libssl.1.0.0.so is available at http://www.enterprisedb.com/products-services-training/pgbindownload ?
Ok, looked at the STRINGS versions and the "OpenSSL 1.0.1f 6 Jan 2014" is seen.
Please let me know if the new binary is uploaded at PG binary download link.
Regards...
Dev Kumkar wrote: > > of which OpenSSL package versions' libssl.1.0.0.so is available at > > http://www.enterprisedb.com/products-services-training/pgbindownload ? > > > > Ok, looked at the STRINGS versions and the "OpenSSL 1.0.1f 6 Jan 2014" is > seen. > > Please let me know if the new binary is uploaded at PG binary download link. This is an EnterpriseDB-supplied package. You should talk to them directly. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
Dev Kumkar wrote: >> Unless somebody changes the setting to ssl=on, there should be no problem. > Thanks also please help to understand - does changing this postgresql.conf setting enough to be > vulnerable here? Just changing the setting will only cause your database server to error out on restart - you also need to create certificates and put them into the server directory. So whoever does this change must know what they are doing (to some extent). Once SSL has been enabled, a cunning attacker may be able to steal the server's private key (if I understood the vulnerability correctly) and then launch man-in-the-middle attacks, i.e. impersonate the server, to eavesdrop on encrypted communication. The remedy would be to create a new key pair for the server. Yours, Laurenz Albe
* Alvaro Herrera (alvherre@2ndquadrant.com) wrote: > Dev Kumkar wrote: > > > of which OpenSSL package versions' libssl.1.0.0.so is available at > > > http://www.enterprisedb.com/products-services-training/pgbindownload ? > > > > > > > Ok, looked at the STRINGS versions and the "OpenSSL 1.0.1f 6 Jan 2014" is > > seen. > > > > Please let me know if the new binary is uploaded at PG binary download link. > > This is an EnterpriseDB-supplied package. You should talk to them > directly. Yeah, I'm doing that already and they're looking into it right now. Thanks, Stephen
Вложения
On Wed, Apr 16, 2014 at 6:54 PM, Stephen Frost <sfrost@snowman.net> wrote:
Yeah, I'm doing that already and they're looking into it right now.
Thanks,
Stephen
I just downloaded the latest binaries from EnterpriseDB and when checked with libssl.so.1.0.0 can see this:
OpenSSL 1.0.1g 7 Apr 2014
OpenSSL 1.0.1g is the patched version.
OpenSSL 1.0.1g 7 Apr 2014
OpenSSL 1.0.1g is the patched version.
Awaiting confirmation and also please let know if there is certain NOTE or link which talks about this fix from EnterpriseDB side.
Regards...
Regards...
* Dev Kumkar (devdas.kumkar@gmail.com) wrote: > I just downloaded the latest binaries from EnterpriseDB and when checked > with libssl.so.1.0.0 can see this: > OpenSSL 1.0.1g 7 Apr 2014 > > OpenSSL 1.0.1g is the patched version. Yes, checked w/ them and they say it's all patched.. > Awaiting confirmation and also please let know if there is certain NOTE or > link which talks about this fix from EnterpriseDB side. There's a note on the 'installers' page here: http://www.enterprisedb.com/products-services-training/pgdownload I believe they're going to add a note to the other page too. Thanks, Stephen
Вложения
On Wed, Apr 16, 2014 at 7:50 PM, Stephen Frost <sfrost@snowman.net> wrote:
* Dev Kumkar (devdas.kumkar@gmail.com) wrote:Yes, checked w/ them and they say it's all patched..
> I just downloaded the latest binaries from EnterpriseDB and when checked
> with libssl.so.1.0.0 can see this:
> OpenSSL 1.0.1g 7 Apr 2014
>
> OpenSSL 1.0.1g is the patched version.There's a note on the 'installers' page here:
> Awaiting confirmation and also please let know if there is certain NOTE or
> link which talks about this fix from EnterpriseDB side.
http://www.enterprisedb.com/products-services-training/pgdownload
I believe they're going to add a note to the other page too.
Thanks,
Stephen
Thanks for the confirmation. Yup checked the NOTE on 'installers' page and a note on binary page will really help.
Regards...
On Wed, Apr 16, 2014 at 6:49 PM, Albe Laurenz <laurenz.albe@wien.gv.at> wrote:
Dev Kumkar wrote:
>> Unless somebody changes the setting to ssl=on, there should be no problem.> Thanks also please help to understand - does changing this postgresql.conf setting enough to beJust changing the setting will only cause your database server to error
> vulnerable here?
out on restart - you also need to create certificates and put them into
the server directory.
So whoever does this change must know what they are doing (to some extent).
Once SSL has been enabled, a cunning attacker may be able to steal
the server's private key (if I understood the vulnerability correctly)
and then launch man-in-the-middle attacks, i.e. impersonate the server,
to eavesdrop on encrypted communication.
The remedy would be to create a new key pair for the server.
Yours,
Laurenz Albe
Thanks, this really helps. Currently we are not creating certificate and working in non SSL mode.
Regards...
Hey,
What is the windows equivalent of libssl.so.1.0.0 ?Please reply as this is really becoming priority for me.
On 4/16/2014 9:38 AM, Dev Kumkar wrote: > What is the windows equivalent of libssl.so.1.0.0 ? > Please reply as this is really becoming priority for me. > windows native stuff uses completely different TLS libraries, SChannel and stuff. AFAIK, these aren't subject to this bug, which was specific to OpenSSL 1.0.1x for x=a-f... openssl is only used on windows when someone uses it explicitly, such as in Cygwin applications, and such. It *is* used by postgresql under windows as enterpriseDB builds it, since PG was written to use openssl in the first place. -- john r pierce 37N 122W somewhere on the middle of the left coast
On Thu, Apr 17, 2014 at 12:53 AM, John R Pierce <pierce@hogranch.com> wrote:
windows native stuff uses completely different TLS libraries, SChannel and stuff. AFAIK, these aren't subject to this bug, which was specific to OpenSSL 1.0.1x for x=a-f... openssl is only used on windows when someone uses it explicitly, such as in Cygwin applications, and such.
It *is* used by postgresql under windows as enterpriseDB builds it, since PG was written to use openssl in the first place.
--
john r pierce 37N 122W
somewhere on the middle of the left coast
So does this mean PostgreSQL binaries available on EnterpriseDB has an impact for windows ?
Can you help me with the binary name?
Regards...
On 4/16/2014 12:40 PM, Dev Kumkar wrote: > > So does this mean PostgreSQL binaries available on EnterpriseDB has an > impact for windows ? > Can you help me with the binary name? > do you enable SSL and expose it to an insecure network ? if not, no exposure to the heartbleed bug. AFAIK, the binary name is postgres.exe, from what I've read they are static linking openssl. the updated versions on the site linked in another message are fixed per the note on that page. http://www.enterprisedb.com/products-services-training/pgdownload -- john r pierce 37N 122W somewhere on the middle of the left coast
On Thu, Apr 17, 2014 at 1:31 AM, John R Pierce <pierce@hogranch.com> wrote:
No, SSL is not enabled in my case but also wanted to make sure there is no binary available which can later result into any potential issue.
http://www.enterprisedb.com/products-services-training/pgbindownload also has the note added sometime back.
do you enable SSL and expose it to an insecure network ? if not, no exposure to the heartbleed bug.
No, SSL is not enabled in my case but also wanted to make sure there is no binary available which can later result into any potential issue.
AFAIK, the binary name is postgres.exe, from what I've read they are static linking openssl. the updated versions on the site linked in another message are fixed per the note on that page. http://www.enterprisedb.com/products-services-training/pgdownload
http://www.enterprisedb.com/products-services-training/pgbindownload also has the note added sometime back.
I was able to verify for Linux binaries looking at STRINGS of so file but was not sure about the windows side and hence was looking for confirmation.
Regards...
* Dev Kumkar (devdas.kumkar@gmail.com) wrote: > > AFAIK, the binary name is postgres.exe, from what I've read they are > > static linking openssl. the updated versions on the site linked in another > > message are fixed per the note on that page. > > http://www.enterprisedb.com/products-services-training/pgdownload > > http://www.enterprisedb.com/products-services-training/pgbindownload also > has the note added sometime back. > I was able to verify for Linux binaries looking at STRINGS of so file but > was not sure about the windows side and hence was looking for confirmation. All the binaries on both pages have been updated (and were a while back). They recently added the 'Note' to the binary downloads page to clarify this (it was just the Note that had been missing- the binaries themselves have been updated for a while). Thanks, Stephen
Вложения
On Wed, Apr 16, 2014 at 9:08 PM, Dev Kumkar <devdas.kumkar@gmail.com> wrote:
Regards...
On Wed, Apr 16, 2014 at 7:50 PM, Stephen Frost <sfrost@snowman.net> wrote:* Dev Kumkar (devdas.kumkar@gmail.com) wrote:Yes, checked w/ them and they say it's all patched..
> I just downloaded the latest binaries from EnterpriseDB and when checked
> with libssl.so.1.0.0 can see this:
> OpenSSL 1.0.1g 7 Apr 2014
>
> OpenSSL 1.0.1g is the patched version.There's a note on the 'installers' page here:
> Awaiting confirmation and also please let know if there is certain NOTE or
> link which talks about this fix from EnterpriseDB side.
http://www.enterprisedb.com/products-services-training/pgdownload
I believe they're going to add a note to the other page too.
Thanks,
StephenThanks for the confirmation. Yup checked the NOTE on 'installers' page and a note on binary page will really help.Regards...
Hello Guys,
For postgreSQL, is there any OpenSSL fix coming up for this issue: http://www.zdnet.com/openssl-fixes-another-severe-vulnerability-7000030253/
Currently in PostgreSQL 9.4.3 the version is as follows: OpenSSL 1.0.1g 7 Apr 2014
As per the above link, fixed OpenSSL version would be 1.0.1h
Looking forward for some comments here.
Regards...
On Thu, Jun 5, 2014 at 7:30 PM, Dev Kumkar <devdas.kumkar@gmail.com> wrote:
The guys at EnterpriseDB are busy building new installers as we speak, I would expect them to be out tomorrow or so.
On Wed, Apr 16, 2014 at 9:08 PM, Dev Kumkar <devdas.kumkar@gmail.com> wrote:On Wed, Apr 16, 2014 at 7:50 PM, Stephen Frost <sfrost@snowman.net> wrote:* Dev Kumkar (devdas.kumkar@gmail.com) wrote:Yes, checked w/ them and they say it's all patched..
> I just downloaded the latest binaries from EnterpriseDB and when checked
> with libssl.so.1.0.0 can see this:
> OpenSSL 1.0.1g 7 Apr 2014
>
> OpenSSL 1.0.1g is the patched version.There's a note on the 'installers' page here:
> Awaiting confirmation and also please let know if there is certain NOTE or
> link which talks about this fix from EnterpriseDB side.
http://www.enterprisedb.com/products-services-training/pgdownload
I believe they're going to add a note to the other page too.
Thanks,
StephenThanks for the confirmation. Yup checked the NOTE on 'installers' page and a note on binary page will really help.Regards...Hello Guys,For postgreSQL, is there any OpenSSL fix coming up for this issue: http://www.zdnet.com/openssl-fixes-another-severe-vulnerability-7000030253/Currently in PostgreSQL 9.4.3 the version is as follows: OpenSSL 1.0.1g 7 Apr 2014As per the above link, fixed OpenSSL version would be 1.0.1hLooking forward for some comments here.
Hi!
The guys at EnterpriseDB are busy building new installers as we speak, I would expect them to be out tomorrow or so.
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
On Thu, Jun 5, 2014 at 11:03 PM, Magnus Hagander <magnus@hagander.net> wrote:
Hi!
The guys at EnterpriseDB are busy building new installers as we speak, I would expect them to be out tomorrow or so.--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
Thanks for the update.
That's really good to know, I hope binary fix will also be available. http://www.enterprisedb.com/products-services-training/pgbindownload
That's really good to know, I hope binary fix will also be available. http://www.enterprisedb.com/products-services-training/pgbindownload
Regards...