Home > mailing lists

Re: OpenSSL v1.1.1n in postgres - Mailing list pgsql-bugs

From	Tom Lane
Subject	Re: OpenSSL v1.1.1n in postgres
Date	March 27, 2022 00:17:20
Msg-id	167221.1648329440@sss.pgh.pa.us Whole thread Raw
In response to	Re: OpenSSL v1.1.1n in postgres ("David G. Johnston" <david.g.johnston@gmail.com>)
Responses	Re: OpenSSL v1.1.1n in postgres (Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>)
List	pgsql-bugs

Tree view

"David G. Johnston" <david.g.johnston@gmail.com> writes:
> I do find it sad that this question about when a CVE has been patched is
> being asked where the active version is 10 months old and missing 3
> PostgreSQL CVE fixes, including an SSL related one in 13.5

In the OP's defense, this OpenSSL CVE does look a lot scarier than
any of ours ... if I'm reading it right, anyone who can reach your
postmaster port can arrange to chew 100% CPU on your server.
OTOH, they can't do anything more than that, and you probably
shouldn't have your DB server accessible from the open internet
anyway.

            regards, tom lane

pgsql-bugs by date:

From: "David G. Johnston"
Date: 26 March 2022, 23:45:45
Subject: Re: OpenSSL v1.1.1n in postgres

From: Sandeep Thakkar
Date: 27 March 2022, 05:11:32
Subject: Re: OpenSSL v1.1.1n in postgres

Re: OpenSSL v1.1.1n in postgres - Mailing list pgsql-bugs

Previous

Next