Re: Need new psqlODBC release to update OpenSSL again - Mailing list pgsql-odbc
From | Dave Page |
---|---|
Subject | Re: Need new psqlODBC release to update OpenSSL again |
Date | |
Msg-id | CA+OCxow0dvRfAygXbVvsc0Zwad7awmwO_OGbjozGFj8RtZraEw@mail.gmail.com Whole thread Raw |
In response to | Re: Need new psqlODBC release to update OpenSSL again ("Inoue, Hiroshi" <inoue@tpf.co.jp>) |
Responses |
Re: Need new psqlODBC release to update OpenSSL again
|
List | pgsql-odbc |
On Sat, Jun 7, 2014 at 3:32 AM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: > > > (2014/06/06 17:25), Dave Page wrote: >> >> On Fri, Jun 6, 2014 at 5:16 AM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: >>> >>> (2014/06/06 8:02), Michael Paquier wrote: >>>> >>>> >>>> On Fri, Jun 6, 2014 at 6:50 AM, Dave Page <dpage@pgadmin.org> wrote: >>>>> >>>>> >>>>> On Thu, Jun 5, 2014 at 10:35 PM, Inoue, Hiroshi <inoue@tpf.co.jp> >>>>> wrote: >>>>>> >>>>>> >>>>>> >>>>>> (2014/06/05 22:19), Heikki Linnakangas wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> OpenSSL version 1.0.1h was released today, fixing several new >>>>>>> vulnerabilities. Looks like we need to make a new psqlODBC release >>>>>>> again, to >>>>>>> get these fixed on Windows.. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Does this mean that we simply replace the ssl related dlls packaged in >>>>>> psqlodbc.msi >>>>>> and psqlodbc_x64.msi of the release 9.03.0300? >>>>> >>>>> >>>>> >>>>> You may also need to bump the version number in the MSI/MSM packages >>>>> to ensure the upgrade happens. >>>> >>>> >>>> Perhaps we should directly do a new release, commit 9e71e4d fixed as >>>> well a problem with connection closed when queries are sent. >>> >>> >>> >>> Why are we forced new releases so often due to bugs of openssl >>> libraries? I'd like to reflect some changes for the next release >>> but it would take some time. In additon I've had little time to >>> test recent changes. >> >> >> That's the nature of releasing software the relies on third-party >> security components unfortunately. EDB have to put the work of a dozen >> or so people on hold for a week every time this happens :-/ >> >>> All package files at http://www.postgresql.org/ftp/odbc/versions >>> /msi(mm or dll) may contain old openssl dlls. If the dlls are so >>> risky, shoudn't we remove the package files? >> >> >> Probably, yes. >> >>> Simply repackaging Windows 9.03.0300 version (or other versions as >>> well?) replacing openssl dlls by new ones is unfavorable? >> >> >> Users typically won't update the files though, no matter how much you >> try to put notices and warnings in front of them. > > > What I mean is that I don't prefer to take in other changes for > this release and would like to release a Windows limited version. > As you say the Product version must be bumped up at least. Oh, for sure. There's no need to update anything else, unless you want to. >> Even aside from >> that, we've been working hard in recent years to make it easier for >> users to get started and having them manually update things is a big >> step backwards. Last but not least - manually updating files from an >> MSI package can cause problems with the Windows Installer. > > > ISTM the new release isn't a kind of "we are pleased to announce" one. > Maybe we would have to announce existent drivers are poisons. > > Anyway I'm inclined to separate third party libraries from psqlodbc.msi > e.g. in the next major version up. Please don't - that'll just make it harder for all users to get things right. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
pgsql-odbc by date: