Thread: Need new psqlODBC release to update OpenSSL again
Hi, OpenSSL version 1.0.1h was released today, fixing several new vulnerabilities. Looks like we need to make a new psqlODBC release again, to get these fixed on Windows.. https://www.openssl.org/news/secadv_20140605.txt - Heikki
On Thu, Jun 5, 2014 at 10:19 PM, Heikki Linnakangas <hlinnakangas@vmware.com> wrote: > Hi, > > OpenSSL version 1.0.1h was released today, fixing several new > vulnerabilities. Looks like we need to make a new psqlODBC release again, to > get these fixed on Windows.. > > https://www.openssl.org/news/secadv_20140605.txt +1. Thanks for pointing that out. -- Michael
(2014/06/05 22:19), Heikki Linnakangas wrote: > Hi, > > OpenSSL version 1.0.1h was released today, fixing several new > vulnerabilities. Looks like we need to make a new psqlODBC release > again, to get these fixed on Windows.. Does this mean that we simply replace the ssl related dlls packaged in psqlodbc.msi and psqlodbc_x64.msi of the release 9.03.0300? regards, HIroshi Inoue
On Thu, Jun 5, 2014 at 10:35 PM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: > > (2014/06/05 22:19), Heikki Linnakangas wrote: >> >> Hi, >> >> OpenSSL version 1.0.1h was released today, fixing several new >> vulnerabilities. Looks like we need to make a new psqlODBC release again, to >> get these fixed on Windows.. > > > Does this mean that we simply replace the ssl related dlls packaged in > psqlodbc.msi > and psqlodbc_x64.msi of the release 9.03.0300? You may also need to bump the version number in the MSI/MSM packages to ensure the upgrade happens. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On Fri, Jun 6, 2014 at 6:50 AM, Dave Page <dpage@pgadmin.org> wrote: > On Thu, Jun 5, 2014 at 10:35 PM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: >> >> (2014/06/05 22:19), Heikki Linnakangas wrote: >>> >>> Hi, >>> >>> OpenSSL version 1.0.1h was released today, fixing several new >>> vulnerabilities. Looks like we need to make a new psqlODBC release again, to >>> get these fixed on Windows.. >> >> >> Does this mean that we simply replace the ssl related dlls packaged in >> psqlodbc.msi >> and psqlodbc_x64.msi of the release 9.03.0300? > > You may also need to bump the version number in the MSI/MSM packages > to ensure the upgrade happens. Perhaps we should directly do a new release, commit 9e71e4d fixed as well a problem with connection closed when queries are sent. -- Michael
(2014/06/06 8:02), Michael Paquier wrote: > On Fri, Jun 6, 2014 at 6:50 AM, Dave Page <dpage@pgadmin.org> wrote: >> On Thu, Jun 5, 2014 at 10:35 PM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: >>> >>> (2014/06/05 22:19), Heikki Linnakangas wrote: >>>> >>>> Hi, >>>> >>>> OpenSSL version 1.0.1h was released today, fixing several new >>>> vulnerabilities. Looks like we need to make a new psqlODBC release again, to >>>> get these fixed on Windows.. >>> >>> >>> Does this mean that we simply replace the ssl related dlls packaged in >>> psqlodbc.msi >>> and psqlodbc_x64.msi of the release 9.03.0300? >> >> You may also need to bump the version number in the MSI/MSM packages >> to ensure the upgrade happens. > Perhaps we should directly do a new release, commit 9e71e4d fixed as > well a problem with connection closed when queries are sent. Why are we forced new releases so often due to bugs of openssl libraries? I'd like to reflect some changes for the next release but it would take some time. In additon I've had little time to test recent changes. All package files at http://www.postgresql.org/ftp/odbc/versions /msi(mm or dll) may contain old openssl dlls. If the dlls are so risky, shoudn't we remove the package files? Simply repackaging Windows 9.03.0300 version (or other versions as well?) replacing openssl dlls by new ones is unfavorable? regards, Hiroshi Inoue -- I am using the free version of SPAMfighter. SPAMfighter has removed 10592 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len Do you have a slow PC? Try a Free scan http://www.spamfighter.com/SLOW-PCfighter?cid=sigen
On Fri, Jun 6, 2014 at 5:16 AM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: > (2014/06/06 8:02), Michael Paquier wrote: >> >> On Fri, Jun 6, 2014 at 6:50 AM, Dave Page <dpage@pgadmin.org> wrote: >>> >>> On Thu, Jun 5, 2014 at 10:35 PM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: >>>> >>>> >>>> (2014/06/05 22:19), Heikki Linnakangas wrote: >>>>> >>>>> >>>>> Hi, >>>>> >>>>> OpenSSL version 1.0.1h was released today, fixing several new >>>>> vulnerabilities. Looks like we need to make a new psqlODBC release >>>>> again, to >>>>> get these fixed on Windows.. >>>> >>>> >>>> >>>> Does this mean that we simply replace the ssl related dlls packaged in >>>> psqlodbc.msi >>>> and psqlodbc_x64.msi of the release 9.03.0300? >>> >>> >>> You may also need to bump the version number in the MSI/MSM packages >>> to ensure the upgrade happens. >> >> Perhaps we should directly do a new release, commit 9e71e4d fixed as >> well a problem with connection closed when queries are sent. > > > Why are we forced new releases so often due to bugs of openssl > libraries? I'd like to reflect some changes for the next release > but it would take some time. In additon I've had little time to > test recent changes. That's the nature of releasing software the relies on third-party security components unfortunately. EDB have to put the work of a dozen or so people on hold for a week every time this happens :-/ > All package files at http://www.postgresql.org/ftp/odbc/versions > /msi(mm or dll) may contain old openssl dlls. If the dlls are so > risky, shoudn't we remove the package files? Probably, yes. > Simply repackaging Windows 9.03.0300 version (or other versions as > well?) replacing openssl dlls by new ones is unfavorable? Users typically won't update the files though, no matter how much you try to put notices and warnings in front of them. Even aside from that, we've been working hard in recent years to make it easier for users to get started and having them manually update things is a big step backwards. Last but not least - manually updating files from an MSI package can cause problems with the Windows Installer. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On 06/06/2014 07:16 AM, Inoue, Hiroshi wrote: > All package files at http://www.postgresql.org/ftp/odbc/versions > /msi(mm or dll) may contain old openssl dlls. If the dlls are so > risky, shoudn't we remove the package files? Well, you're only at risk if you use SSL. Old versions can be very useful for debugging. If an application used to work correctly with an old version, but doesn't with a new version, it's very useful to try all the versions in between to see which exact version broke it. It would be good to add a notice to the download page though: NOTE: Old installers contain old versions of the OpenSSL and libpq libraries, which contain known security vulnerabilities. They are here for reference purposes only. For production use, always use the latest version. - Heikki
Hi, On Fri, 2014-06-06 at 12:51 +0300, Heikki Linnakangas wrote: > Well, you're only at risk if you use SSL. Old versions can be very > useful for debugging. If an application used to work correctly with an > old version, but doesn't with a new version, it's very useful to try > all the versions in between to see which exact version broke it. Agreed. How about creating a directory called "archived releases" (or so), and move everything there? Regards, -- Devrim GÜNDÜZ Principal Systems Engineer @ EnterpriseDB: http://www.enterprisedb.com PostgreSQL Danışmanı/Consultant, Red Hat Certified Engineer Twitter: @DevrimGunduz , @DevrimGunduzTR
Attachment
(2014/06/06 18:58), Devrim Gündüz wrote: > > Hi, > > On Fri, 2014-06-06 at 12:51 +0300, Heikki Linnakangas wrote: >> Well, you're only at risk if you use SSL. Old versions can be very >> useful for debugging. If an application used to work correctly with an >> old version, but doesn't with a new version, it's very useful to try >> all the versions in between to see which exact version broke it. > > Agreed. How about creating a directory called "archived releases" (or > so), and move everything there? The name I was thinking is "dangerous_to_use" so as not to use the packages easily. regatds, Hiroshi Inoue
(2014/06/06 17:25), Dave Page wrote: > On Fri, Jun 6, 2014 at 5:16 AM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: >> (2014/06/06 8:02), Michael Paquier wrote: >>> >>> On Fri, Jun 6, 2014 at 6:50 AM, Dave Page <dpage@pgadmin.org> wrote: >>>> >>>> On Thu, Jun 5, 2014 at 10:35 PM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: >>>>> >>>>> >>>>> (2014/06/05 22:19), Heikki Linnakangas wrote: >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> OpenSSL version 1.0.1h was released today, fixing several new >>>>>> vulnerabilities. Looks like we need to make a new psqlODBC release >>>>>> again, to >>>>>> get these fixed on Windows.. >>>>> >>>>> >>>>> >>>>> Does this mean that we simply replace the ssl related dlls packaged in >>>>> psqlodbc.msi >>>>> and psqlodbc_x64.msi of the release 9.03.0300? >>>> >>>> >>>> You may also need to bump the version number in the MSI/MSM packages >>>> to ensure the upgrade happens. >>> >>> Perhaps we should directly do a new release, commit 9e71e4d fixed as >>> well a problem with connection closed when queries are sent. >> >> >> Why are we forced new releases so often due to bugs of openssl >> libraries? I'd like to reflect some changes for the next release >> but it would take some time. In additon I've had little time to >> test recent changes. > > That's the nature of releasing software the relies on third-party > security components unfortunately. EDB have to put the work of a dozen > or so people on hold for a week every time this happens :-/ > >> All package files at http://www.postgresql.org/ftp/odbc/versions >> /msi(mm or dll) may contain old openssl dlls. If the dlls are so >> risky, shoudn't we remove the package files? > > Probably, yes. > >> Simply repackaging Windows 9.03.0300 version (or other versions as >> well?) replacing openssl dlls by new ones is unfavorable? > > Users typically won't update the files though, no matter how much you > try to put notices and warnings in front of them. What I mean is that I don't prefer to take in other changes for this release and would like to release a Windows limited version. As you say the Product version must be bumped up at least. > Even aside from > that, we've been working hard in recent years to make it easier for > users to get started and having them manually update things is a big > step backwards. Last but not least - manually updating files from an > MSI package can cause problems with the Windows Installer. ISTM the new release isn't a kind of "we are pleased to announce" one. Maybe we would have to announce existent drivers are poisons. Anyway I'm inclined to separate third party libraries from psqlodbc.msi e.g. in the next major version up. regards, Hiroshi Inoue
On Sat, Jun 7, 2014 at 3:32 AM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: > > > (2014/06/06 17:25), Dave Page wrote: >> >> On Fri, Jun 6, 2014 at 5:16 AM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: >>> >>> (2014/06/06 8:02), Michael Paquier wrote: >>>> >>>> >>>> On Fri, Jun 6, 2014 at 6:50 AM, Dave Page <dpage@pgadmin.org> wrote: >>>>> >>>>> >>>>> On Thu, Jun 5, 2014 at 10:35 PM, Inoue, Hiroshi <inoue@tpf.co.jp> >>>>> wrote: >>>>>> >>>>>> >>>>>> >>>>>> (2014/06/05 22:19), Heikki Linnakangas wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> OpenSSL version 1.0.1h was released today, fixing several new >>>>>>> vulnerabilities. Looks like we need to make a new psqlODBC release >>>>>>> again, to >>>>>>> get these fixed on Windows.. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Does this mean that we simply replace the ssl related dlls packaged in >>>>>> psqlodbc.msi >>>>>> and psqlodbc_x64.msi of the release 9.03.0300? >>>>> >>>>> >>>>> >>>>> You may also need to bump the version number in the MSI/MSM packages >>>>> to ensure the upgrade happens. >>>> >>>> >>>> Perhaps we should directly do a new release, commit 9e71e4d fixed as >>>> well a problem with connection closed when queries are sent. >>> >>> >>> >>> Why are we forced new releases so often due to bugs of openssl >>> libraries? I'd like to reflect some changes for the next release >>> but it would take some time. In additon I've had little time to >>> test recent changes. >> >> >> That's the nature of releasing software the relies on third-party >> security components unfortunately. EDB have to put the work of a dozen >> or so people on hold for a week every time this happens :-/ >> >>> All package files at http://www.postgresql.org/ftp/odbc/versions >>> /msi(mm or dll) may contain old openssl dlls. If the dlls are so >>> risky, shoudn't we remove the package files? >> >> >> Probably, yes. >> >>> Simply repackaging Windows 9.03.0300 version (or other versions as >>> well?) replacing openssl dlls by new ones is unfavorable? >> >> >> Users typically won't update the files though, no matter how much you >> try to put notices and warnings in front of them. > > > What I mean is that I don't prefer to take in other changes for > this release and would like to release a Windows limited version. > As you say the Product version must be bumped up at least. Oh, for sure. There's no need to update anything else, unless you want to. >> Even aside from >> that, we've been working hard in recent years to make it easier for >> users to get started and having them manually update things is a big >> step backwards. Last but not least - manually updating files from an >> MSI package can cause problems with the Windows Installer. > > > ISTM the new release isn't a kind of "we are pleased to announce" one. > Maybe we would have to announce existent drivers are poisons. > > Anyway I'm inclined to separate third party libraries from psqlodbc.msi > e.g. in the next major version up. Please don't - that'll just make it harder for all users to get things right. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Hi. Sorry very late reaction. I check, test and packaging that replaced the only library of openssl release of the final version 09.03.0300. then, assigned branch number the file name is incremented. ex.) psqlodbc_09_03_0300-1.zip I will upload if there is no objection. Regards, Hiroshi Saito (2014/06/07 19:21), Dave Page wrote: > On Sat, Jun 7, 2014 at 3:32 AM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: >> >> >> (2014/06/06 17:25), Dave Page wrote: >>> >>> On Fri, Jun 6, 2014 at 5:16 AM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote: >>>> >>>> (2014/06/06 8:02), Michael Paquier wrote: >>>>> >>>>> >>>>> On Fri, Jun 6, 2014 at 6:50 AM, Dave Page <dpage@pgadmin.org> wrote: >>>>>> >>>>>> >>>>>> On Thu, Jun 5, 2014 at 10:35 PM, Inoue, Hiroshi <inoue@tpf.co.jp> >>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> (2014/06/05 22:19), Heikki Linnakangas wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> OpenSSL version 1.0.1h was released today, fixing several new >>>>>>>> vulnerabilities. Looks like we need to make a new psqlODBC release >>>>>>>> again, to >>>>>>>> get these fixed on Windows.. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Does this mean that we simply replace the ssl related dlls packaged in >>>>>>> psqlodbc.msi >>>>>>> and psqlodbc_x64.msi of the release 9.03.0300? >>>>>> >>>>>> >>>>>> >>>>>> You may also need to bump the version number in the MSI/MSM packages >>>>>> to ensure the upgrade happens. >>>>> >>>>> >>>>> Perhaps we should directly do a new release, commit 9e71e4d fixed as >>>>> well a problem with connection closed when queries are sent. >>>> >>>> >>>> >>>> Why are we forced new releases so often due to bugs of openssl >>>> libraries? I'd like to reflect some changes for the next release >>>> but it would take some time. In additon I've had little time to >>>> test recent changes. >>> >>> >>> That's the nature of releasing software the relies on third-party >>> security components unfortunately. EDB have to put the work of a dozen >>> or so people on hold for a week every time this happens :-/ >>> >>>> All package files at http://www.postgresql.org/ftp/odbc/versions >>>> /msi(mm or dll) may contain old openssl dlls. If the dlls are so >>>> risky, shoudn't we remove the package files? >>> >>> >>> Probably, yes. >>> >>>> Simply repackaging Windows 9.03.0300 version (or other versions as >>>> well?) replacing openssl dlls by new ones is unfavorable? >>> >>> >>> Users typically won't update the files though, no matter how much you >>> try to put notices and warnings in front of them. >> >> >> What I mean is that I don't prefer to take in other changes for >> this release and would like to release a Windows limited version. >> As you say the Product version must be bumped up at least. > > Oh, for sure. There's no need to update anything else, unless you want to. > >>> Even aside from >>> that, we've been working hard in recent years to make it easier for >>> users to get started and having them manually update things is a big >>> step backwards. Last but not least - manually updating files from an >>> MSI package can cause problems with the Windows Installer. >> >> >> ISTM the new release isn't a kind of "we are pleased to announce" one. >> Maybe we would have to announce existent drivers are poisons. >> >> Anyway I'm inclined to separate third party libraries from psqlodbc.msi >> e.g. in the next major version up. > > Please don't - that'll just make it harder for all users to get things right. > >
(2014/06/10 21:10), Hiroshi Saito wrote: > Hi. > > Sorry very late reaction. > > I check, test and packaging that replaced the only library of openssl > release of the final version 09.03.0300. then, assigned branch number > the file name is incremented. > ex.) psqlodbc_09_03_0300-1.zip Hmm shouldn't the product version changed so that the existent 9.3.0300 can detect upgrade as Dave mentioned? regards, Hiroshi Inoue > I will upload if there is no objection. > > Regards, > Hiroshi Saito
Hi. I was able to safely applied in upgrade.bat. then,replace the OpenSSLlibrary properly.:-) Regards, Hiroshi Saito (2014/06/11 20:54), Hiroshi Inoue wrote: > (2014/06/10 21:10), Hiroshi Saito wrote: >> Hi. >> >> Sorry very late reaction. >> >> I check, test and packaging that replaced the only library of openssl >> release of the final version 09.03.0300. then, assigned branch number >> the file name is incremented. >> ex.) psqlodbc_09_03_0300-1.zip > > Hmm shouldn't the product version changed so that the existent 9.3.0300 > can detect upgrade as Dave mentioned? > > regards, > Hiroshi Inoue > >> I will upload if there is no objection. >> >> Regards, >> Hiroshi Saito > > >
It would be very helpful for us if there was a new driver version number. It will enable us to easily distinguish between the old and new driver and determine if we need to upgrade the driver in a particular installation.
Thanks,
Chris
On Wed, Jun 11, 2014 at 6:26 AM, Hiroshi Saito <hiroshi@winpg.jp> wrote:
Hi.
I was able to safely applied in upgrade.bat.
then,replace the OpenSSLlibrary properly.:-)
Regards,
Hiroshi Saito
(2014/06/11 20:54), Hiroshi Inoue wrote:(2014/06/10 21:10), Hiroshi Saito wrote:Hi.
Sorry very late reaction.
I check, test and packaging that replaced the only library of openssl
release of the final version 09.03.0300. then, assigned branch number
the file name is incremented.
ex.) psqlodbc_09_03_0300-1.zip
Hmm shouldn't the product version changed so that the existent 9.3.0300
can detect upgrade as Dave mentioned?
regards,
Hiroshi InoueI will upload if there is no objection.
Regards,
Hiroshi Saito
--
Sent via pgsql-odbc mailing list (pgsql-odbc@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-odbc
thanks, I will announcement around mirror site rsync timing. (2014/06/12 2:01), Chris Wilkins wrote: > It would be very helpful for us if there was a new driver version > number. It will enable us to easily distinguish between the old and new > driver and determine if we need to upgrade the driver in a particular > installation. > > Thanks, > > Chris