Thread: BUG #17907: PostgresSQL 15.x contains OpenSSL DLLs (vulnerable to CVE-2023-0464, CVE-2023-0465 & CVE-2023-0466)

The following bug has been logged on the website:

Bug reference:      17907
Logged by:          Adrian Scott
Email address:      ascott@wwf.org.uk
PostgreSQL version: 15.2
Operating system:   Windows 10 Enterprise 64 bit
Description:

We have been alerted to the existence of 3 OpenSSL vulnerabilities that are
exposed within the OpenSSL v3.0.8 DLLs installed as part of the PostgresSQL
15.x install.
In the default install paths the 2 files are found here:
c:\program files\postgresql\15\bin\libcrypto-3-x64.dll
c:\program files\postgresql\15\bin\libssl-3-x64.dll

These are affected by vulnerabilities CVE-2023-0464, CVE-2023-0465 &
CVE-2023-0466

Please can you update the PostgresSQL distributions to include the latest
OpenSSL dlls with your next bugfixed release (either using OpenSSL 3.1.1 or
3.0.9), to remove these vulnerabilities?


Hi,

In the security advisory, the OpenSSL community had mentioned 
"Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available."

So once the version 3.0.9 (and 1.1.1 update) we will rewrap the PostgreSQL installers

On Thu, Apr 27, 2023 at 12:21 PM PG Bug reporting form <noreply@postgresql.org> wrote:
The following bug has been logged on the website:

Bug reference:      17907
Logged by:          Adrian Scott
Email address:      ascott@wwf.org.uk
PostgreSQL version: 15.2
Operating system:   Windows 10 Enterprise 64 bit
Description:       

We have been alerted to the existence of 3 OpenSSL vulnerabilities that are
exposed within the OpenSSL v3.0.8 DLLs installed as part of the PostgresSQL
15.x install.
In the default install paths the 2 files are found here:
c:\program files\postgresql\15\bin\libcrypto-3-x64.dll
c:\program files\postgresql\15\bin\libssl-3-x64.dll

These are affected by vulnerabilities CVE-2023-0464, CVE-2023-0465 &
CVE-2023-0466

Please can you update the PostgresSQL distributions to include the latest
OpenSSL dlls with your next bugfixed release (either using OpenSSL 3.1.1 or
3.0.9), to remove these vulnerabilities?



--
Sandeep Thakkar