Postgres Pro
Downloads
Home   >   mailing lists

Thread: OpenSSL v1.1.1n in postgres

OpenSSL v1.1.1n in postgres

From
"Vibhu Chauhan (iDEAS-ER&D)"
Date:

Hi Postgres support,

 

In one security scan we found that OpenSSL v1.1.1k is vulnerable which is sub-component of postgres 13.3.  From below link we came to know that affected OpenSSL version 1.1.1k is fixed in 1.1.1n version. We wanted to know which postgres version having this fix version of OpenSSL? And is there any steps to mitigate the risk of version 1.1.1k?

 

https://www.cvedetails.com/cve/CVE-2022-0778/

 

 

Thanks & Regards,

Vibhu Chauhan

Mob- (+91) 9610155774

 

Internal to Wipro

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'
Attachment

Re: OpenSSL v1.1.1n in postgres

From
Daniel Gustafsson
Date:
> On 26 Mar 2022, at 18:32, Vibhu Chauhan (iDEAS-ER&D) <vibhu.chauhan@wipro.com> wrote:

> Hi Postgres support,

This is the bug reporting mailing list, and this is not a bug report.  Please
use pgsql-general for future questions like these.

> In one security scan we found that OpenSSL v1.1.1k is vulnerable which is sub-component of postgres 13.3.  From below
linkwe came to know that affected OpenSSL version 1.1.1k is fixed in 1.1.1n version. We wanted to know which postgres
versionhaving this fix version of OpenSSL? And is there any steps to mitigate the risk of version 1.1.1k? 

PostgreSQL doesn't come statically linked to any OpenSSL version, you need to
ask your system administrators and/or PostgreSQL service provider about this.

--
Daniel Gustafsson        https://vmware.com/

Re: OpenSSL v1.1.1n in postgres

From
Tom Lane
Date:
Daniel Gustafsson <daniel@yesql.se> writes:
>> On 26 Mar 2022, at 18:32, Vibhu Chauhan (iDEAS-ER&D) <vibhu.chauhan@wipro.com> wrote:
>> In one security scan we found that OpenSSL v1.1.1k is vulnerable which is sub-component of postgres 13.3.  From
belowlink we came to know that affected OpenSSL version 1.1.1k is fixed in 1.1.1n version. We wanted to know which
postgresversion having this fix version of OpenSSL? And is there any steps to mitigate the risk of version 1.1.1k? 

> PostgreSQL doesn't come statically linked to any OpenSSL version, you need to
> ask your system administrators and/or PostgreSQL service provider about this.

The question is possibly about the EDB Windows installer, but
it would still be better directed to EDB's support people.

            regards, tom lane

Re: OpenSSL v1.1.1n in postgres

From
"David G. Johnston"
Date:
On Sat, Mar 26, 2022 at 1:39 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Daniel Gustafsson <daniel@yesql.se> writes:
>> On 26 Mar 2022, at 18:32, Vibhu Chauhan (iDEAS-ER&D) <vibhu.chauhan@wipro.com> wrote:
>> In one security scan we found that OpenSSL v1.1.1k is vulnerable which is sub-component of postgres 13.3.  From below link we came to know that affected OpenSSL version 1.1.1k is fixed in 1.1.1n version. We wanted to know which postgres version having this fix version of OpenSSL? And is there any steps to mitigate the risk of version 1.1.1k?

> PostgreSQL doesn't come statically linked to any OpenSSL version, you need to
> ask your system administrators and/or PostgreSQL service provider about this.

The question is possibly about the EDB Windows installer, but
it would still be better directed to EDB's support people.


Seems likely.  Given that the CVE is from March and our 13.6 update came out in February the odds are any bundled releases are not yet updatable.

I do find it sad that this question about when a CVE has been patched is being asked where the active version is 10 months old and missing 3 PostgreSQL CVE fixes, including an SSL related one in 13.5

David J.

Re: OpenSSL v1.1.1n in postgres

From
Tom Lane
Date:
"David G. Johnston" <david.g.johnston@gmail.com> writes:
> I do find it sad that this question about when a CVE has been patched is
> being asked where the active version is 10 months old and missing 3
> PostgreSQL CVE fixes, including an SSL related one in 13.5

In the OP's defense, this OpenSSL CVE does look a lot scarier than
any of ours ... if I'm reading it right, anyone who can reach your
postmaster port can arrange to chew 100% CPU on your server.
OTOH, they can't do anything more than that, and you probably
shouldn't have your DB server accessible from the open internet
anyway.

            regards, tom lane

Re: OpenSSL v1.1.1n in postgres

From
Sandeep Thakkar
Date:
Hi,

Please note the EDB windows installer updates carrying the OpenSSL 1.1.1n are already available for download through website and stackbuilder. The latest PG installer versions for all the branches are:
  • 14.2-2
  • 13.6-2
  • 12.10-2
  • 11.15-2
  • 10.20-2
Please update to the required version.



On Sun, Mar 27, 2022 at 2:47 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
"David G. Johnston" <david.g.johnston@gmail.com> writes:
> I do find it sad that this question about when a CVE has been patched is
> being asked where the active version is 10 months old and missing 3
> PostgreSQL CVE fixes, including an SSL related one in 13.5

In the OP's defense, this OpenSSL CVE does look a lot scarier than
any of ours ... if I'm reading it right, anyone who can reach your
postmaster port can arrange to chew 100% CPU on your server.
OTOH, they can't do anything more than that, and you probably
shouldn't have your DB server accessible from the open internet
anyway.

                        regards, tom lane




--
Sandeep Thakkar