Re: OpenSSL Vulnerability in pgAdmin III

Hi,

For pgAdmin III it might be worth looking at http://www.bigsql.org/pgadmin3/ <http://www.bigsql.org/pgadmin3/>. They are looking at updating and supporting pgAdmin III for a while longer.

Regards,

Ben

> On 31 Oct 2016, at 04:43, Sathesh S <Sathesh(dot)Sundaram(at)hotmail(dot)com> wrote:
>
>
> Hello All,
>
> We use pgAdmin III to connect to Greenplum database. We had recently found out from our vulnerability team that pgAdmin III uses OpenSSL version before 1.0.2h which has the below vulnerability.
>
> OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3 is using a vulnerable version of OpenSSL.
>
> The latest version in pgAdmin III is v1.22 and it is using OpenSSL version 1.0.2f.
>
> Below is the info related to the vulnerability:
> Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
>
> Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable to use pgAdmin IV because it is having issues connection to Greenplum (it gives below error)
>
> ERROR: unrecognized configuration parameter "bytea_output"
>
> Can you please help with my below questions:
>
> 1. I understand that pgAdmin III is not supported anymore, but because pgAdmin IV is relatively new and lot of people would be still using pgAdmin III, will a updated version of pgAdmin III released with latest version of OpenSSL be released?
>
> 2. Can end users update the OpenSSL version themselves? I mean – Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin III v1.22.
> Is this workaround okay/allowed?
> Will this workaround create any issues in pgAdmin III?
>
> Please help, thanks in advance.
>
> Thanks,
> Sathesh