| Lists: | pgsql-bugs |
|---|
| From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Cc: | ascott(at)wwf(dot)org(dot)uk |
| Subject: | BUG #17907: PostgresSQL 15.x contains OpenSSL DLLs (vulnerable to CVE-2023-0464, CVE-2023-0465 & CVE-2023-0466) |
| Date: | 2023-04-24 14:34:36 |
| Message-ID: | 17907-8cd9b572b6722919@postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 17907
Logged by: Adrian Scott
Email address: ascott(at)wwf(dot)org(dot)uk
PostgreSQL version: 15.2
Operating system: Windows 10 Enterprise 64 bit
Description:
We have been alerted to the existence of 3 OpenSSL vulnerabilities that are
exposed within the OpenSSL v3.0.8 DLLs installed as part of the PostgresSQL
15.x install.
In the default install paths the 2 files are found here:
c:\program files\postgresql\15\bin\libcrypto-3-x64.dll
c:\program files\postgresql\15\bin\libssl-3-x64.dll
These are affected by vulnerabilities CVE-2023-0464, CVE-2023-0465 &
CVE-2023-0466
Please can you update the PostgresSQL distributions to include the latest
OpenSSL dlls with your next bugfixed release (either using OpenSSL 3.1.1 or
3.0.9), to remove these vulnerabilities?
| From: | Sandeep Thakkar <sandeep(dot)thakkar(at)enterprisedb(dot)com> |
|---|---|
| To: | ascott(at)wwf(dot)org(dot)uk, pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #17907: PostgresSQL 15.x contains OpenSSL DLLs (vulnerable to CVE-2023-0464, CVE-2023-0465 & CVE-2023-0466) |
| Date: | 2023-04-27 07:43:00 |
| Message-ID: | CANFyU96es7PvJnm+y=OWCxL24eD77hagSeh37Ws2v=rtG2eVtQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-bugs |
Hi,
In the security advisory, the OpenSSL community had mentioned
"Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when
they become available."
So once the version 3.0.9 (and 1.1.1 update) we will rewrap the PostgreSQL
installers
On Thu, Apr 27, 2023 at 12:21 PM PG Bug reporting form <
noreply(at)postgresql(dot)org> wrote:
> The following bug has been logged on the website:
>
> Bug reference: 17907
> Logged by: Adrian Scott
> Email address: ascott(at)wwf(dot)org(dot)uk
> PostgreSQL version: 15.2
> Operating system: Windows 10 Enterprise 64 bit
> Description:
>
> We have been alerted to the existence of 3 OpenSSL vulnerabilities that are
> exposed within the OpenSSL v3.0.8 DLLs installed as part of the PostgresSQL
> 15.x install.
> In the default install paths the 2 files are found here:
> c:\program files\postgresql\15\bin\libcrypto-3-x64.dll
> c:\program files\postgresql\15\bin\libssl-3-x64.dll
>
> These are affected by vulnerabilities CVE-2023-0464, CVE-2023-0465 &
> CVE-2023-0466
>
> Please can you update the PostgresSQL distributions to include the latest
> OpenSSL dlls with your next bugfixed release (either using OpenSSL 3.1.1 or
> 3.0.9), to remove these vulnerabilities?
>
>
--
Sandeep Thakkar