Postgres Pro
Downloads
Home   >   mailing lists

Re: Need new psqlODBC release to update OpenSSL again - Mailing list pgsql-odbc

From Dave Page
Subject Re: Need new psqlODBC release to update OpenSSL again
Date
Msg-id CA+OCxowy+tbDTyguqpCYHd3hYY5p0TEVd2oVdXSWzt0jZ5rHRQ@mail.gmail.com
Whole thread Raw
In response to Re: Need new psqlODBC release to update OpenSSL again  ("Inoue, Hiroshi" <inoue@tpf.co.jp>)
Responses Re: Need new psqlODBC release to update OpenSSL again  ("Inoue, Hiroshi" <inoue@tpf.co.jp>)
List pgsql-odbc
Tree view 
On Fri, Jun 6, 2014 at 5:16 AM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote:
> (2014/06/06 8:02), Michael Paquier wrote:
>>
>> On Fri, Jun 6, 2014 at 6:50 AM, Dave Page <dpage@pgadmin.org> wrote:
>>>
>>> On Thu, Jun 5, 2014 at 10:35 PM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote:
>>>>
>>>>
>>>> (2014/06/05 22:19), Heikki Linnakangas wrote:
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> OpenSSL version 1.0.1h was released today, fixing several new
>>>>> vulnerabilities. Looks like we need to make a new psqlODBC release
>>>>> again, to
>>>>> get these fixed on Windows..
>>>>
>>>>
>>>>
>>>> Does this mean that we simply replace the ssl related dlls packaged in
>>>> psqlodbc.msi
>>>> and psqlodbc_x64.msi of the release 9.03.0300?
>>>
>>>
>>> You may also need to bump the version number in the MSI/MSM packages
>>> to ensure the upgrade happens.
>>
>> Perhaps we should directly do a new release, commit 9e71e4d fixed as
>> well a problem with connection closed when queries are sent.
>
>
> Why are we forced new releases so often due to bugs of openssl
> libraries? I'd like to reflect some changes for the next release
> but it would take some time. In additon I've had little time to
> test recent changes.

That's the nature of releasing software the relies on third-party
security components unfortunately. EDB have to put the work of a dozen
or so people on hold for a week every time this happens :-/

> All package files at http://www.postgresql.org/ftp/odbc/versions
> /msi(mm or dll) may contain old openssl dlls. If the dlls are so
> risky, shoudn't we remove the package files?

Probably, yes.

> Simply repackaging Windows 9.03.0300 version (or other versions as
> well?) replacing openssl dlls by new ones is unfavorable?

Users typically won't update the files though, no matter how much you
try to put notices and warnings in front of them. Even aside from
that, we've been working hard in recent years to make it easier for
users to get started and having them manually update things is a big
step backwards. Last but not least - manually updating files from an
MSI package can cause problems with the Windows Installer.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

pgsql-odbc by date:

Previous
From: Michael Paquier
Date:
Subject: Re: SQLBulkOperations
Next
From: Heikki Linnakangas
Date:
Subject: Re: Need new psqlODBC release to update OpenSSL again