Hi Ben, Thanks for the information. I tried to install pgAdmin3 LTS version in my laptop but looks like there is no option to install it without installing PGC, even after installing PGC I’m not to install pgAdmin3 as the package is not available.
If you have installed it, can you please tell what version of OpenSSL is used by pgAdmin3 LTS. Also, it would be helpful if you can advice on copying OpenSSL file from pgAdmin IV to pgAdmin III (question in my previous email) Thanks, Sathesh From: Ben Trewern<mailto:ben.trew...@gmail.com> Sent: Monday, October 31, 2016 5:43 PM To: Sathesh S<mailto:sathesh.sunda...@hotmail.com> Cc: pgadmin-support@postgresql.org<mailto:pgadmin-support@postgresql.org> Subject: Re: [pgadmin-support] OpenSSL Vulnerability in pgAdmin III Hi, For pgAdmin III it might be worth looking at http://www.bigsql.org/pgadmin3/. They are looking at updating and supporting pgAdmin III for a while longer. Regards, Ben On 31 Oct 2016, at 04:43, Sathesh S <sathesh.sunda...@hotmail.com<mailto:sathesh.sunda...@hotmail.com>> wrote: Hello All, We use pgAdmin III to connect to Greenplum database. We had recently found out from our vulnerability team that pgAdmin III uses OpenSSL version before 1.0.2h which has the below vulnerability. OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3 is using a vulnerable version of OpenSSL. The latest version in pgAdmin III is v1.22 and it is using OpenSSL version 1.0.2f. Below is the info related to the vulnerability: Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data. Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable to use pgAdmin IV because it is having issues connection to Greenplum (it gives below error) ERROR: unrecognized configuration parameter "bytea_output" Can you please help with my below questions: 1. I understand that pgAdmin III is not supported anymore, but because pgAdmin IV is relatively new and lot of people would be still using pgAdmin III, will a updated version of pgAdmin III released with latest version of OpenSSL be released? 2. Can end users update the OpenSSL version themselves? I mean – Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin III v1.22. Is this workaround okay/allowed? Will this workaround create any issues in pgAdmin III? Please help, thanks in advance. Thanks, Sathesh
