Обсуждение: Heartbleed Impact

Dev Kumkar wrote:
> Can you please let us know about the impact in case binaries are being shipped and SSL is off?

Unless somebody changes the setting to ssl=on, there should be no problem.

Yours,
Laurenz Albe

On 16 April 2014 18:48, Dev Kumkar <devdas.kumkar@gmail.com> wrote:

> We embed certain binaries and libssl.so.1.0.0 gets shipped along with
> pre-build in-house database with product.

1.0.0 isn't affected.

Cheers,

Tony

2014-04-16 12:40 keltezéssel, Tony Theodore írta:
> On 16 April 2014 18:48, Dev Kumkar <devdas.kumkar@gmail.com> wrote:
>
>> We embed certain binaries and libssl.so.1.0.0 gets shipped along with
>> pre-build in-house database with product.
> 1.0.0 isn't affected.

The package version and the soversion are only loosely related.
E.g .the upstream OpenSSL 1.0.0 and 1.0.1 series both ship soversion 1.0.0.

Best regards,
Zoltán Böszörményi

On 16 April 2014 21:27, Boszormenyi Zoltan <zboszor@pr.hu> wrote:
> 2014-04-16 12:40 keltezéssel, Tony Theodore írta:

>> 1.0.0 isn't affected.
>
>
> The package version and the soversion are only loosely related.
> E.g .the upstream OpenSSL 1.0.0 and 1.0.1 series both ship soversion 1.0.0.

Good point - thanks!

Tony

Dev Kumkar wrote:

> > of which OpenSSL package versions' libssl.1.0.0.so is available at
> > http://www.enterprisedb.com/products-services-training/pgbindownload ?
> >
>
> Ok, looked at the STRINGS versions and the "OpenSSL 1.0.1f 6 Jan 2014" is
> seen.
>
> Please let me know if the new binary is uploaded at PG binary download link.

This is an EnterpriseDB-supplied package.  You should talk to them
directly.

--
Álvaro Herrera                http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

Dev Kumkar wrote:
>> Unless somebody changes the setting to ssl=on, there should be no problem.

> Thanks also please help to understand - does changing this postgresql.conf setting enough to be
> vulnerable here?

Just changing the setting will only cause your database server to error
out on restart - you also need to create certificates and put them into
the server directory.

So whoever does this change must know what they are doing (to some extent).

Once SSL has been enabled, a cunning attacker may be able to steal
the server's private key (if I understood the vulnerability correctly)
and then launch man-in-the-middle attacks, i.e. impersonate the server,
to eavesdrop on encrypted communication.

The remedy would be to create a new key pair for the server.

Yours,
Laurenz Albe

* Alvaro Herrera (alvherre@2ndquadrant.com) wrote:
> Dev Kumkar wrote:
> > > of which OpenSSL package versions' libssl.1.0.0.so is available at
> > > http://www.enterprisedb.com/products-services-training/pgbindownload ?
> > >
> >
> > Ok, looked at the STRINGS versions and the "OpenSSL 1.0.1f 6 Jan 2014" is
> > seen.
> >
> > Please let me know if the new binary is uploaded at PG binary download link.
>
> This is an EnterpriseDB-supplied package.  You should talk to them
> directly.

Yeah, I'm doing that already and they're looking into it right now.

    Thanks,

        Stephen

* Dev Kumkar (devdas.kumkar@gmail.com) wrote:
> I just downloaded the latest binaries from EnterpriseDB and when checked
> with libssl.so.1.0.0 can see this:
> OpenSSL 1.0.1g 7 Apr 2014
>
> OpenSSL 1.0.1g is the patched version.

Yes, checked w/ them and they say it's all patched..

> Awaiting confirmation and also please let know if there is certain NOTE or
> link which talks about this fix from EnterpriseDB side.

There's a note on the 'installers' page here:
http://www.enterprisedb.com/products-services-training/pgdownload

I believe they're going to add a note to the other page too.

    Thanks,

        Stephen

On 4/16/2014 9:38 AM, Dev Kumkar wrote:
> What is the windows equivalent of libssl.so.1.0.0 ?
> Please reply as this is really becoming priority for me.
>

windows native stuff uses completely different TLS libraries, SChannel
and stuff.  AFAIK, these aren't subject to this bug, which was specific
to OpenSSL 1.0.1x for x=a-f...    openssl is only used on windows when
someone uses it explicitly, such as in Cygwin applications, and such.

It *is* used by postgresql under windows as enterpriseDB builds it,
since PG was written to use openssl in the first place.

--
john r pierce                                      37N 122W
somewhere on the middle of the left coast

On 4/16/2014 12:40 PM, Dev Kumkar wrote:
>
> So does this mean PostgreSQL binaries available on EnterpriseDB has an
> impact for windows ?
> Can you help me with the binary name?
>

do you enable SSL  and expose it to an insecure network ?   if not, no
exposure to the heartbleed bug.

AFAIK, the binary name is postgres.exe, from what I've read they are
static linking openssl.  the updated versions on the site linked in
another message are fixed per the note on that page.
http://www.enterprisedb.com/products-services-training/pgdownload





--
john r pierce                                      37N 122W
somewhere on the middle of the left coast

* Dev Kumkar (devdas.kumkar@gmail.com) wrote:
> > AFAIK, the binary name is postgres.exe, from what I've read they are
> > static linking openssl.  the updated versions on the site linked in another
> > message are fixed per the note on that page.
> > http://www.enterprisedb.com/products-services-training/pgdownload
>
> http://www.enterprisedb.com/products-services-training/pgbindownload also
> has the note added sometime back.
> I was able to verify for Linux binaries looking at STRINGS of so file but
> was not sure about the windows side and hence was looking for confirmation.

All the binaries on both pages have been updated (and were a while
back).  They recently added the 'Note' to the binary downloads page to
clarify this (it was just the Note that had been missing- the binaries
themselves have been updated for a while).

    Thanks,

        Stephen