| From: | Saravanan Subramaniyan <sara1479(at)gmail(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: OpenSSL Vulnerabilities |
| Date: | 2014-06-13 13:12:42 |
| Message-ID: | CANRH5ZYpYiKFUxyxVRw1kMoz-zY=NF9_Z_Gxq9S7jMDu8mq87g@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Thanks Magnus. We are using package downloaded from enterprisedb. Thanks
for the clarification.
Regards
V.S.Saravanan
On 13 Jun 2014 15:37, "Magnus Hagander" <magnus(at)hagander(dot)net> wrote:
>
>
>
> On Fri, Jun 13, 2014 at 5:25 AM, Saravanan Subramaniyan <
> sara1479(at)gmail(dot)com> wrote:
>
>> Thanks Magnus. We have removed as well as replaced the OpenSSLlibraries.
>> The postgresql service is not coming up (SSL is turned off). I thought
>> OpenSSL is used when we turn on SSL in postgresql.
>>
>
>
> PostgreSQL *uses* OpenSSL, but does not contain it.
>
> PostgreSQL is still linked against openssl, so if you replaced it with an
> incompatible version then it would break. But as I said, it depends on your
> distribution of PostgreSQL. As long as you use something like RPM or DEB
> packaging, that's all taken care of by the operating system and nothing is
> bundled by PostgreSQL. If you installed manually from source, for example,
> then of course you need to make sure that your updated openssl is
> compatible with the old one.
>
> //Magnus
>
>
>> Thanks
>> V.S.Saravanan
>>
>>
>> On Thu, Jun 12, 2014 at 7:56 PM, Magnus Hagander <magnus(at)hagander(dot)net>
>> wrote:
>>
>>> On Thu, Jun 12, 2014 at 8:43 AM, Saravanan Subramaniyan <
>>> sara1479(at)gmail(dot)com> wrote:
>>>
>>>> Hi All,
>>>> Recently OpenSSL released Security Advisory. Please refer below link
>>>>
>>>> http://www.openssl.org/news/secadv_20140605.txt.
>>>>
>>>> We are using postgresql version 9.2.8 which is vulnerable. Is
>>>> postgresql planning to release new version which include OpenSSL 1.0.1h?
>>>>
>>>>
>>> PostgreSQL itself is not vulnerable, so we will not release a new
>>> version.
>>>
>>> If you are using the EnterpriseDB graphical installers, they are indeed
>>> bundling the OpenSSL and it at least used to be the vulnerable version.
>>> Unfortunately they don't seem to have information about the updates yet - I
>>> will see if i can ping them about making sure that goes on there. I think
>>> they have already patched it - but it's not confirmed on the website.
>>>
>>> --
>>> Magnus Hagander
>>> Me: http://www.hagander.net/
>>> Work: http://www.redpill-linpro.com/
>>>
>>
>>
>
>
> --
> Magnus Hagander
> Me: http://www.hagander.net/
> Work: http://www.redpill-linpro.com/
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jaco Engelbrecht | 2014-06-13 19:02:01 | Re: Spurious Stalls |
| Previous Message | Magnus Hagander | 2014-06-13 10:07:52 | Re: OpenSSL Vulnerabilities |