Re: OpenSSL Vulnerability in pgAdmin III

From: Sathesh S <Sathesh(dot)Sundaram(at)hotmail(dot)com>
To: Ben Trewern <ben(dot)trewern(at)gmail(dot)com>
Cc: "pgadmin-support(at)postgresql(dot)org" <pgadmin-support(at)postgresql(dot)org>
Subject: Re: OpenSSL Vulnerability in pgAdmin III
Date: 2016-11-01 06:30:39
Message-ID: AM5PR10MB06892B240CAA0EB47B6697DE82A10@AM5PR10MB0689.EURPRD10.PROD.OUTLOOK.COM
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgadmin-support

Hi Ben,

Thanks for the information. I tried to install pgAdmin3 LTS version in my laptop but looks like there is no option to install it without installing PGC, even after installing PGC I’m not to install pgAdmin3 as the package is not available.

If you have installed it, can you please tell what version of OpenSSL is used by pgAdmin3 LTS.

Also, it would be helpful if you can advice on copying OpenSSL file from pgAdmin IV to pgAdmin III (question in my previous email)

Thanks,
Sathesh

From: Ben Trewern<mailto:ben(dot)trewern(at)gmail(dot)com>
Sent: Monday, October 31, 2016 5:43 PM
To: Sathesh S<mailto:Sathesh(dot)Sundaram(at)hotmail(dot)com>
Cc: pgadmin-support(at)postgresql(dot)org<mailto:pgadmin-support(at)postgresql(dot)org>
Subject: Re: [pgadmin-support] OpenSSL Vulnerability in pgAdmin III

Hi,

For pgAdmin III it might be worth looking at http://www.bigsql.org/pgadmin3/. They are looking at updating and supporting pgAdmin III for a while longer.

Regards,

Ben

On 31 Oct 2016, at 04:43, Sathesh S <Sathesh(dot)Sundaram(at)hotmail(dot)com<mailto:Sathesh(dot)Sundaram(at)hotmail(dot)com>> wrote:

Hello All,

We use pgAdmin III to connect to Greenplum database. We had recently found out from our vulnerability team that pgAdmin III uses OpenSSL version before 1.0.2h which has the below vulnerability.

OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3 is using a vulnerable version of OpenSSL.

The latest version in pgAdmin III is v1.22 and it is using OpenSSL version 1.0.2f.

Below is the info related to the vulnerability:
Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable to use pgAdmin IV because it is having issues connection to Greenplum (it gives below error)

ERROR: unrecognized configuration parameter "bytea_output"

Can you please help with my below questions:

1. I understand that pgAdmin III is not supported anymore, but because pgAdmin IV is relatively new and lot of people would be still using pgAdmin III, will a updated version of pgAdmin III released with latest version of OpenSSL be released?

2. Can end users update the OpenSSL version themselves? I mean – Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin III v1.22.
Is this workaround okay/allowed?
Will this workaround create any issues in pgAdmin III?

Please help, thanks in advance.

Thanks,
Sathesh

In response to

Responses

Browse pgadmin-support by date

  From Date Subject
Next Message Sergey Grinko 2016-11-01 07:07:10 Re: pgadmin3 some fixes
Previous Message Edson Richter 2016-10-31 17:51:28 Please, tell me how to disable window animations for pgAdmin4 v1.1