Re: Need new psqlODBC release to update OpenSSL again - Mailing list pgsql-odbc
| From | Inoue, Hiroshi |
|---|---|
| Subject | Re: Need new psqlODBC release to update OpenSSL again |
| Date | |
| Msg-id | 539279C4.6000602@tpf.co.jp Whole thread Raw |
| In response to | Re: Need new psqlODBC release to update OpenSSL again (Dave Page <dpage@pgadmin.org>) |
| Responses |
Re: Need new psqlODBC release to update OpenSSL again
|
| List | pgsql-odbc |
(2014/06/06 17:25), Dave Page wrote: > On Fri, Jun 6, 2014 at 5:16 AM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: >> (2014/06/06 8:02), Michael Paquier wrote: >>> >>> On Fri, Jun 6, 2014 at 6:50 AM, Dave Page <dpage@pgadmin.org> wrote: >>>> >>>> On Thu, Jun 5, 2014 at 10:35 PM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: >>>>> >>>>> >>>>> (2014/06/05 22:19), Heikki Linnakangas wrote: >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> OpenSSL version 1.0.1h was released today, fixing several new >>>>>> vulnerabilities. Looks like we need to make a new psqlODBC release >>>>>> again, to >>>>>> get these fixed on Windows.. >>>>> >>>>> >>>>> >>>>> Does this mean that we simply replace the ssl related dlls packaged in >>>>> psqlodbc.msi >>>>> and psqlodbc_x64.msi of the release 9.03.0300? >>>> >>>> >>>> You may also need to bump the version number in the MSI/MSM packages >>>> to ensure the upgrade happens. >>> >>> Perhaps we should directly do a new release, commit 9e71e4d fixed as >>> well a problem with connection closed when queries are sent. >> >> >> Why are we forced new releases so often due to bugs of openssl >> libraries? I'd like to reflect some changes for the next release >> but it would take some time. In additon I've had little time to >> test recent changes. > > That's the nature of releasing software the relies on third-party > security components unfortunately. EDB have to put the work of a dozen > or so people on hold for a week every time this happens :-/ > >> All package files at http://www.postgresql.org/ftp/odbc/versions >> /msi(mm or dll) may contain old openssl dlls. If the dlls are so >> risky, shoudn't we remove the package files? > > Probably, yes. > >> Simply repackaging Windows 9.03.0300 version (or other versions as >> well?) replacing openssl dlls by new ones is unfavorable? > > Users typically won't update the files though, no matter how much you > try to put notices and warnings in front of them. What I mean is that I don't prefer to take in other changes for this release and would like to release a Windows limited version. As you say the Product version must be bumped up at least. > Even aside from > that, we've been working hard in recent years to make it easier for > users to get started and having them manually update things is a big > step backwards. Last but not least - manually updating files from an > MSI package can cause problems with the Windows Installer. ISTM the new release isn't a kind of "we are pleased to announce" one. Maybe we would have to announce existent drivers are poisons. Anyway I'm inclined to separate third party libraries from psqlodbc.msi e.g. in the next major version up. regards, Hiroshi Inoue
pgsql-odbc by date: