Hi Based on feedback from existing users, I'm currently thinking I'll do a final wrap-up release of community pgAdmin III next week (after PGConf.EU). This will include the latest OpenSSL release.
On Tuesday, November 1, 2016, Sathesh S <sathesh.sunda...@hotmail.com> wrote: > Hi Ben, > > > > Thanks for the information. I tried to install pgAdmin3 LTS version in my > laptop but looks like there is no option to install it without installing > PGC, even after installing PGC I’m not to install pgAdmin3 as the package > is not available. > > > > If you have installed it, can you please tell what version of OpenSSL is > used by pgAdmin3 LTS. > > > > Also, it would be helpful if you can advice on copying OpenSSL file from > pgAdmin IV to pgAdmin III (question in my previous email) > > > > Thanks, > > Sathesh > > > > > > *From: *Ben Trewern > <javascript:_e(%7B%7D,'cvml','ben.trew...@gmail.com');> > *Sent: *Monday, October 31, 2016 5:43 PM > *To: *Sathesh S > <javascript:_e(%7B%7D,'cvml','sathesh.sunda...@hotmail.com');> > *Cc: *pgadmin-support@postgresql.org > <javascript:_e(%7B%7D,'cvml','pgadmin-support@postgresql.org');> > *Subject: *Re: [pgadmin-support] OpenSSL Vulnerability in pgAdmin III > > > Hi, > > For pgAdmin III it might be worth looking at http://www.bigsql.org/ > pgadmin3/. They are looking at updating and supporting pgAdmin III for a > while longer. > > Regards, > > Ben > > > On 31 Oct 2016, at 04:43, Sathesh S <sathesh.sunda...@hotmail.com > <javascript:_e(%7B%7D,'cvml','sathesh.sunda...@hotmail.com');>> wrote: > > > Hello All, > > We use pgAdmin III to connect to Greenplum database. We had recently found > out from our vulnerability team that pgAdmin III uses OpenSSL version > before 1.0.2h which has the below vulnerability. > > OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3 > is using a vulnerable version of OpenSSL. > > The latest version in pgAdmin III is v1.22 and it is using OpenSSL version > 1.0.2f. > > Below is the info related to the vulnerability: > Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in > OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to > obtain sensitive information from process stack memory or cause a denial of > service (buffer over-read) via crafted EBCDIC ASN.1 data. > > Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable > to use pgAdmin IV because it is having issues connection to Greenplum (it > gives below error) > > ERROR: unrecognized configuration parameter "bytea_output" > > Can you please help with my below questions: > > 1. I understand that pgAdmin III is not supported anymore, but > because pgAdmin IV is relatively new and lot of people would be still using > pgAdmin III, will a updated version of pgAdmin III released with latest > version of OpenSSL be released? > > 2. Can end users update the OpenSSL version themselves? I mean – > Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin > III v1.22. > Is this workaround okay/allowed? > Will this workaround create any issues in pgAdmin III? > > Please help, thanks in advance. > > Thanks, > Sathesh > > > -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
