Re: OpenSSL Vulnerability in pgAdmin III

I'm going to try to do it this afternoon - things got a bit busy after
PGConf.EU...

On Thu, Nov 10, 2016 at 4:28 AM, Sathesh S <sathesh(dot)sundaram(at)hotmail(dot)com> wrote:
> Hi Dave,
>
> By any chance will the updated pgadmin III get released by this weekend?
>
> Thanks,
> Sathesh
>
>
>
>
> On Tue, Nov 1, 2016 at 10:03 PM +0530, "Sathesh S"
> <sathesh(dot)sundaram(at)hotmail(dot)com> wrote:
>
> Thanks Dave, it will be wonderful to have a updated final release.
>
> Thanks,
> Sathesh
>
>
>
>
> On Tue, Nov 1, 2016 at 2:36 PM +0530, "Dave Page" <dpage(at)pgadmin(dot)org> wrote:
>
> Hi
>
> Based on feedback from existing users, I'm currently thinking I'll do a
> final wrap-up release of community pgAdmin III next week (after PGConf.EU).
> This will include the latest OpenSSL release.
>
> On Tuesday, November 1, 2016, Sathesh S <Sathesh(dot)Sundaram(at)hotmail(dot)com>
> wrote:
>>
>> Hi Ben,
>>
>>
>>
>> Thanks for the information. I tried to install pgAdmin3 LTS version in my
>> laptop but looks like there is no option to install it without installing
>> PGC, even after installing PGC I’m not to install pgAdmin3 as the package is
>> not available.
>>
>>
>>
>> If you have installed it, can you please tell what version of OpenSSL is
>> used by pgAdmin3 LTS.
>>
>>
>>
>> Also, it would be helpful if you can advice on copying OpenSSL file from
>> pgAdmin IV to pgAdmin III (question in my previous email)
>>
>>
>>
>> Thanks,
>>
>> Sathesh
>>
>>
>>
>>
>>
>> From: Ben Trewern
>> Sent: Monday, October 31, 2016 5:43 PM
>> To: Sathesh S
>> Cc: pgadmin-support(at)postgresql(dot)org
>> Subject: Re: [pgadmin-support] OpenSSL Vulnerability in pgAdmin III
>>
>>
>>
>> Hi,
>>
>> For pgAdmin III it might be worth looking at
>> http://www.bigsql.org/pgadmin3/. They are looking at updating and
>> supporting pgAdmin III for a while longer.
>>
>> Regards,
>>
>> Ben
>>
>>
>> On 31 Oct 2016, at 04:43, Sathesh S <Sathesh(dot)Sundaram(at)hotmail(dot)com> wrote:
>>
>>
>> Hello All,
>>
>> We use pgAdmin III to connect to Greenplum database. We had recently found
>> out from our vulnerability team that pgAdmin III uses OpenSSL version before
>> 1.0.2h which has the below vulnerability.
>>
>> OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3
>> is using a vulnerable version of OpenSSL.
>>
>> The latest version in pgAdmin III is v1.22 and it is using OpenSSL version
>> 1.0.2f.
>>
>> Below is the info related to the vulnerability:
>> Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in
>> OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to
>> obtain sensitive information from process stack memory or cause a denial of
>> service (buffer over-read) via crafted EBCDIC ASN.1 data.
>>
>> Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable
>> to use pgAdmin IV because it is having issues connection to Greenplum (it
>> gives below error)
>>
>> ERROR: unrecognized configuration parameter "bytea_output"
>>
>> Can you please help with my below questions:
>>
>> 1. I understand that pgAdmin III is not supported anymore, but
>> because pgAdmin IV is relatively new and lot of people would be still using
>> pgAdmin III, will a updated version of pgAdmin III released with latest
>> version of OpenSSL be released?
>>
>> 2. Can end users update the OpenSSL version themselves? I mean –
>> Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin
>> III v1.22.
>> Is this workaround okay/allowed?
>> Will this workaround create any issues in pgAdmin III?
>>
>> Please help, thanks in advance.
>>
>> Thanks,
>> Sathesh
>>
>>
>
>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EnterpriseDB UK: http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company