Re: OpenSSL Vulnerability in pgAdmin III

Hi

Based on feedback from existing users, I'm currently thinking I'll do a
final wrap-up release of community pgAdmin III next week (after PGConf.EU).
This will include the latest OpenSSL release.

On Tuesday, November 1, 2016, Sathesh S <Sathesh(dot)Sundaram(at)hotmail(dot)com>
wrote:

> Hi Ben,
>
>
>
> Thanks for the information. I tried to install pgAdmin3 LTS version in my
> laptop but looks like there is no option to install it without installing
> PGC, even after installing PGC I’m not to install pgAdmin3 as the package
> is not available.
>
>
>
> If you have installed it, can you please tell what version of OpenSSL is
> used by pgAdmin3 LTS.
>
>
>
> Also, it would be helpful if you can advice on copying OpenSSL file from
> pgAdmin IV to pgAdmin III (question in my previous email)
>
>
>
> Thanks,
>
> Sathesh
>
>
>
>
>
> *From: *Ben Trewern
> <javascript:_e(%7B%7D,'cvml','ben(dot)trewern(at)gmail(dot)com');>
> *Sent: *Monday, October 31, 2016 5:43 PM
> *To: *Sathesh S
> <javascript:_e(%7B%7D,'cvml','Sathesh(dot)Sundaram(at)hotmail(dot)com');>
> *Cc: *pgadmin-support(at)postgresql(dot)org
> <javascript:_e(%7B%7D,'cvml','pgadmin-support(at)postgresql(dot)org');>
> *Subject: *Re: [pgadmin-support] OpenSSL Vulnerability in pgAdmin III
>
>
> Hi,
>
> For pgAdmin III it might be worth looking at http://www.bigsql.org/
> pgadmin3/. They are looking at updating and supporting pgAdmin III for a
> while longer.
>
> Regards,
>
> Ben
>
>
> On 31 Oct 2016, at 04:43, Sathesh S <Sathesh(dot)Sundaram(at)hotmail(dot)com
> <javascript:_e(%7B%7D,'cvml','Sathesh(dot)Sundaram(at)hotmail(dot)com');>> wrote:
>
>
> Hello All,
>
> We use pgAdmin III to connect to Greenplum database. We had recently found
> out from our vulnerability team that pgAdmin III uses OpenSSL version
> before 1.0.2h which has the below vulnerability.
>
> OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3
> is using a vulnerable version of OpenSSL.
>
> The latest version in pgAdmin III is v1.22 and it is using OpenSSL version
> 1.0.2f.
>
> Below is the info related to the vulnerability:
> Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in
> OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to
> obtain sensitive information from process stack memory or cause a denial of
> service (buffer over-read) via crafted EBCDIC ASN.1 data.
>
> Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable
> to use pgAdmin IV because it is having issues connection to Greenplum (it
> gives below error)
>
> ERROR: unrecognized configuration parameter "bytea_output"
>
> Can you please help with my below questions:
>
> 1. I understand that pgAdmin III is not supported anymore, but
> because pgAdmin IV is relatively new and lot of people would be still using
> pgAdmin III, will a updated version of pgAdmin III released with latest
> version of OpenSSL be released?
>
> 2. Can end users update the OpenSSL version themselves? I mean –
> Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin
> III v1.22.
> Is this workaround okay/allowed?
> Will this workaround create any issues in pgAdmin III?
>
> Please help, thanks in advance.
>
> Thanks,
> Sathesh
>
>
>

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company