From: | Sathesh S <Sathesh(dot)Sundaram(at)hotmail(dot)com> |
---|---|
To: | "pgadmin-support(at)postgresql(dot)org" <pgadmin-support(at)postgresql(dot)org> |
Subject: | OpenSSL Vulnerability in pgAdmin III |
Date: | 2016-10-31 04:43:52 |
Message-ID: | AM5PR10MB0689A69B7373009675514B0E82AE0@AM5PR10MB0689.EURPRD10.PROD.OUTLOOK.COM |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgadmin-support |
Hello All,
We use pgAdmin III to connect to Greenplum database. We had recently found out from our vulnerability team that pgAdmin III uses OpenSSL version before 1.0.2h which has the below vulnerability.
OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3 is using a vulnerable version of OpenSSL.
The latest version in pgAdmin III is v1.22 and it is using OpenSSL version 1.0.2f.
Below is the info related to the vulnerability:
Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable to use pgAdmin IV because it is having issues connection to Greenplum (it gives below error)
ERROR: unrecognized configuration parameter "bytea_output"
Can you please help with my below questions:
1. I understand that pgAdmin III is not supported anymore, but because pgAdmin IV is relatively new and lot of people would be still using pgAdmin III, will a updated version of pgAdmin III released with latest version of OpenSSL be released?
2. Can end users update the OpenSSL version themselves? I mean – Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin III v1.22.
Is this workaround okay/allowed?
Will this workaround create any issues in pgAdmin III?
Please help, thanks in advance.
Thanks,
Sathesh
From | Date | Subject | |
---|---|---|---|
Next Message | Ben Trewern | 2016-10-31 12:13:30 | Re: OpenSSL Vulnerability in pgAdmin III |
Previous Message | Dave Page | 2016-10-30 17:13:24 | Re: Can't install pgadmin4 on linux (flask required) |