Re: BUG #17907: PostgresSQL 15.x contains OpenSSL DLLs (vulnerable to CVE-2023-0464, CVE-2023-0465 & CVE-2023-0466)

Hi,

In the security advisory, the OpenSSL community had mentioned
"Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when
they become available."

So once the version 3.0.9 (and 1.1.1 update) we will rewrap the PostgreSQL
installers

On Thu, Apr 27, 2023 at 12:21 PM PG Bug reporting form <
noreply(at)postgresql(dot)org> wrote:

> The following bug has been logged on the website:
>
> Bug reference: 17907
> Logged by: Adrian Scott
> Email address: ascott(at)wwf(dot)org(dot)uk
> PostgreSQL version: 15.2
> Operating system: Windows 10 Enterprise 64 bit
> Description:
>
> We have been alerted to the existence of 3 OpenSSL vulnerabilities that are
> exposed within the OpenSSL v3.0.8 DLLs installed as part of the PostgresSQL
> 15.x install.
> In the default install paths the 2 files are found here:
> c:\program files\postgresql\15\bin\libcrypto-3-x64.dll
> c:\program files\postgresql\15\bin\libssl-3-x64.dll
>
> These are affected by vulnerabilities CVE-2023-0464, CVE-2023-0465 &
> CVE-2023-0466
>
> Please can you update the PostgresSQL distributions to include the latest
> OpenSSL dlls with your next bugfixed release (either using OpenSSL 3.1.1 or
> 3.0.9), to remove these vulnerabilities?
>
>

--
Sandeep Thakkar