Обсуждение: BUG #17907: PostgresSQL 15.x contains OpenSSL DLLs (vulnerable to CVE-2023-0464, CVE-2023-0465 & CVE-2023-0466)
BUG #17907: PostgresSQL 15.x contains OpenSSL DLLs (vulnerable to CVE-2023-0464, CVE-2023-0465 & CVE-2023-0466)
От
PG Bug reporting form
Дата:
The following bug has been logged on the website: Bug reference: 17907 Logged by: Adrian Scott Email address: ascott@wwf.org.uk PostgreSQL version: 15.2 Operating system: Windows 10 Enterprise 64 bit Description: We have been alerted to the existence of 3 OpenSSL vulnerabilities that are exposed within the OpenSSL v3.0.8 DLLs installed as part of the PostgresSQL 15.x install. In the default install paths the 2 files are found here: c:\program files\postgresql\15\bin\libcrypto-3-x64.dll c:\program files\postgresql\15\bin\libssl-3-x64.dll These are affected by vulnerabilities CVE-2023-0464, CVE-2023-0465 & CVE-2023-0466 Please can you update the PostgresSQL distributions to include the latest OpenSSL dlls with your next bugfixed release (either using OpenSSL 3.1.1 or 3.0.9), to remove these vulnerabilities?
Hi,
In the security advisory, the OpenSSL community had mentioned
"Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available."
So once the version 3.0.9 (and 1.1.1 update) we will rewrap the PostgreSQL installers
On Thu, Apr 27, 2023 at 12:21 PM PG Bug reporting form <noreply@postgresql.org> wrote:
The following bug has been logged on the website:
Bug reference: 17907
Logged by: Adrian Scott
Email address: ascott@wwf.org.uk
PostgreSQL version: 15.2
Operating system: Windows 10 Enterprise 64 bit
Description:
We have been alerted to the existence of 3 OpenSSL vulnerabilities that are
exposed within the OpenSSL v3.0.8 DLLs installed as part of the PostgresSQL
15.x install.
In the default install paths the 2 files are found here:
c:\program files\postgresql\15\bin\libcrypto-3-x64.dll
c:\program files\postgresql\15\bin\libssl-3-x64.dll
These are affected by vulnerabilities CVE-2023-0464, CVE-2023-0465 &
CVE-2023-0466
Please can you update the PostgresSQL distributions to include the latest
OpenSSL dlls with your next bugfixed release (either using OpenSSL 3.1.1 or
3.0.9), to remove these vulnerabilities?
Sandeep Thakkar