Thread: OpenSSL Vulnerability in pgAdmin III
<div class="WordSection1"><p class="MsoNormal"> <p class="MsoNormal">Hello All,<p class="MsoNormal"> <p class="MsoNormal">Weuse pgAdmin III to connect to Greenplum database. We had recently found out from our vulnerability teamthat pgAdmin III uses OpenSSL version before 1.0.2h which has the below vulnerability.<p class="MsoNormal"> <p class="MsoNormal">OpenSSLversion before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3 is using a vulnerable versionof OpenSSL.<p class="MsoNormal"> <p class="MsoNormal">The latest version in pgAdmin III is v1.22 and it is using OpenSSLversion 1.0.2f.<p class="MsoNormal"> <p class="MsoNormal">Below is the info related to the vulnerability: <p class="MsoNormal">Overview:The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service(buffer over-read) via crafted EBCDIC ASN.1 data.<p class="MsoNormal"> <p class="MsoNormal">Even though pgAdmin IVuses a OpenSSL version above 1.0.2h, we are unable to use pgAdmin IV because it is having issues connection to Greenplum(it gives below error)<p class="MsoNormal"> <p class="MsoNormal"><span style="font-size:12.0pt;font-family:"SourceSans Pro",sans-serif;color:#686868;background:white">ERROR: unrecognized configurationparameter "bytea_output"</span><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Source Sans Pro",sans-serif;color:#686868;background:white"> </span><pclass="MsoNormal">Can you please help with my below questions:<pclass="MsoNormal"> <p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="mso-list:Ignore">1.<spanstyle="font:7.0pt "Times New Roman""> </span></span>I understand that pgAdmin III isnot supported anymore, but because pgAdmin IV is relatively new and lot of people would be still using pgAdmin III, willa updated version of pgAdmin III released with latest version of OpenSSL be released?<p class="MsoNormal"> <p class="MsoListParagraph"style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="mso-list:Ignore">2.<span style="font:7.0pt"Times New Roman""> </span></span>Can end users update the OpenSSL version themselves? I mean – SincepgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin III v1.22. <p class="MsoListParagraph">Is thisworkaround okay/allowed?<p class="MsoListParagraph">Will this workaround create any issues in pgAdmin III?<p class="MsoListParagraph"> <pclass="MsoNormal">Please help, thanks in advance.<p class="MsoNormal"> <p class="MsoNormal">Thanks,<pclass="MsoNormal">Sathesh</div>
Hi,
Regards,
Ben
On 31 Oct 2016, at 04:43, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:Hello All,We use pgAdmin III to connect to Greenplum database. We had recently found out from our vulnerability team that pgAdmin III uses OpenSSL version before 1.0.2h which has the below vulnerability.OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3 is using a vulnerable version of OpenSSL.The latest version in pgAdmin III is v1.22 and it is using OpenSSL version 1.0.2f.Below is the info related to the vulnerability:Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable to use pgAdmin IV because it is having issues connection to Greenplum (it gives below error)ERROR: unrecognized configuration parameter "bytea_output"Can you please help with my below questions:1. I understand that pgAdmin III is not supported anymore, but because pgAdmin IV is relatively new and lot of people would be still using pgAdmin III, will a updated version of pgAdmin III released with latest version of OpenSSL be released?2. Can end users update the OpenSSL version themselves? I mean – Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin III v1.22.Is this workaround okay/allowed?Will this workaround create any issues in pgAdmin III?Please help, thanks in advance.Thanks,Sathesh
Hi Ben,
Thanks for the information. I tried to install pgAdmin3 LTS version in my laptop but looks like there is no option to install it without installing PGC, even after installing PGC I’m not to install pgAdmin3 as the package is not available.
If you have installed it, can you please tell what version of OpenSSL is used by pgAdmin3 LTS.
Also, it would be helpful if you can advice on copying OpenSSL file from pgAdmin IV to pgAdmin III (question in my previous email)
Thanks,
Sathesh
From: Ben Trewern
Sent: Monday, October 31, 2016 5:43 PM
To: Sathesh S
Cc: pgadmin-support@postgresql.org
Subject: Re: [pgadmin-support] OpenSSL Vulnerability in pgAdmin III
Hi,
Regards,
Ben
On 31 Oct 2016, at 04:43, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:Hello All,We use pgAdmin III to connect to Greenplum database. We had recently found out from our vulnerability team that pgAdmin III uses OpenSSL version before 1.0.2h which has the below vulnerability.OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3 is using a vulnerable version of OpenSSL.The latest version in pgAdmin III is v1.22 and it is using OpenSSL version 1.0.2f.Below is the info related to the vulnerability:Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable to use pgAdmin IV because it is having issues connection to Greenplum (it gives below error)ERROR: unrecognized configuration parameter "bytea_output"Can you please help with my below questions:1. I understand that pgAdmin III is not supported anymore, but because pgAdmin IV is relatively new and lot of people would be still using pgAdmin III, will a updated version of pgAdmin III released with latest version of OpenSSL be released?2. Can end users update the OpenSSL version themselves? I mean – Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin III v1.22.Is this workaround okay/allowed?Will this workaround create any issues in pgAdmin III?Please help, thanks in advance.Thanks,Sathesh
Hi
On Tuesday, November 1, 2016, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Based on feedback from existing users, I'm currently thinking I'll do a final wrap-up release of community pgAdmin III next week (after PGConf.EU). This will include the latest OpenSSL release.
On Tuesday, November 1, 2016, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:
Hi Ben,
Thanks for the information. I tried to install pgAdmin3 LTS version in my laptop but looks like there is no option to install it without installing PGC, even after installing PGC I’m not to install pgAdmin3 as the package is not available.
If you have installed it, can you please tell what version of OpenSSL is used by pgAdmin3 LTS.
Also, it would be helpful if you can advice on copying OpenSSL file from pgAdmin IV to pgAdmin III (question in my previous email)
Thanks,
Sathesh
From: Ben Trewern
Sent: Monday, October 31, 2016 5:43 PM
To: Sathesh S
Cc: pgadmin-support@postgresql.org
Subject: Re: [pgadmin-support] OpenSSL Vulnerability in pgAdmin III
Hi,For pgAdmin III it might be worth looking at http://www.bigsql.org/pgadmin3/ . They are looking at updating and supporting pgAdmin III for a while longer.Regards,BenOn 31 Oct 2016, at 04:43, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:Hello All,We use pgAdmin III to connect to Greenplum database. We had recently found out from our vulnerability team that pgAdmin III uses OpenSSL version before 1.0.2h which has the below vulnerability.OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3 is using a vulnerable version of OpenSSL.The latest version in pgAdmin III is v1.22 and it is using OpenSSL version 1.0.2f.Below is the info related to the vulnerability:Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable to use pgAdmin IV because it is having issues connection to Greenplum (it gives below error)ERROR: unrecognized configuration parameter "bytea_output"Can you please help with my below questions:1. I understand that pgAdmin III is not supported anymore, but because pgAdmin IV is relatively new and lot of people would be still using pgAdmin III, will a updated version of pgAdmin III released with latest version of OpenSSL be released?2. Can end users update the OpenSSL version themselves? I mean – Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin III v1.22.Is this workaround okay/allowed?Will this workaround create any issues in pgAdmin III?Please help, thanks in advance.Thanks,Sathesh
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Thanks Dave, it will be wonderful to have a updated final release.
Thanks,
Sathesh
Hi
On Tuesday, November 1, 2016, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Based on feedback from existing users, I'm currently thinking I'll do a final wrap-up release of community pgAdmin III next week (after PGConf.EU). This will include the latest OpenSSL release.
On Tuesday, November 1, 2016, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:
Hi Ben,
Thanks for the information. I tried to install pgAdmin3 LTS version in my laptop but looks like there is no option to install it without installing PGC, even after installing PGC I’m not to install pgAdmin3 as the package is not available.
If you have installed it, can you please tell what version of OpenSSL is used by pgAdmin3 LTS.
Also, it would be helpful if you can advice on copying OpenSSL file from pgAdmin IV to pgAdmin III (question in my previous email)
Thanks,
Sathesh
From: Ben Trewern
Sent: Monday, October 31, 2016 5:43 PM
To: Sathesh S
Cc: pgadmin-support@postgresql.org
Subject: Re: [pgadmin-support] OpenSSL Vulnerability in pgAdmin III
Hi,For pgAdmin III it might be worth looking at http://www.bigsql.org/pgadmin3/ . They are looking at updating and supporting pgAdmin III for a while longer.Regards,BenOn 31 Oct 2016, at 04:43, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:Hello All,We use pgAdmin III to connect to Greenplum database. We had recently found out from our vulnerability team that pgAdmin III uses OpenSSL version before 1.0.2h which has the below vulnerability.OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3 is using a vulnerable version of OpenSSL.The latest version in pgAdmin III is v1.22 and it is using OpenSSL version 1.0.2f.Below is the info related to the vulnerability:Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable to use pgAdmin IV because it is having issues connection to Greenplum (it gives below error)ERROR: unrecognized configuration parameter "bytea_output"Can you please help with my below questions:1. I understand that pgAdmin III is not supported anymore, but because pgAdmin IV is relatively new and lot of people would be still using pgAdmin III, will a updated version of pgAdmin III released with latest version of OpenSSL be released?2. Can end users update the OpenSSL version themselves? I mean – Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin III v1.22.Is this workaround okay/allowed?Will this workaround create any issues in pgAdmin III?Please help, thanks in advance.Thanks,Sathesh
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Hi Dave,
By any chance will the updated pgadmin III get released by this weekend?
Thanks,
Sathesh
Thanks Dave, it will be wonderful to have a updated final release.
Thanks,
Sathesh
Hi
On Tuesday, November 1, 2016, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Based on feedback from existing users, I'm currently thinking I'll do a final wrap-up release of community pgAdmin III next week (after PGConf.EU). This will include the latest OpenSSL release.
On Tuesday, November 1, 2016, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:
Hi Ben,
Thanks for the information. I tried to install pgAdmin3 LTS version in my laptop but looks like there is no option to install it without installing PGC, even after installing PGC I’m not to install pgAdmin3 as the package is not available.
If you have installed it, can you please tell what version of OpenSSL is used by pgAdmin3 LTS.
Also, it would be helpful if you can advice on copying OpenSSL file from pgAdmin IV to pgAdmin III (question in my previous email)
Thanks,
Sathesh
From: Ben Trewern
Sent: Monday, October 31, 2016 5:43 PM
To: Sathesh S
Cc: pgadmin-support@postgresql.org
Subject: Re: [pgadmin-support] OpenSSL Vulnerability in pgAdmin III
Hi,For pgAdmin III it might be worth looking at http://www.bigsql.org/pgadmin3/ . They are looking at updating and supporting pgAdmin III for a while longer.Regards,BenOn 31 Oct 2016, at 04:43, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:Hello All,We use pgAdmin III to connect to Greenplum database. We had recently found out from our vulnerability team that pgAdmin III uses OpenSSL version before 1.0.2h which has the below vulnerability.OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3 is using a vulnerable version of OpenSSL.The latest version in pgAdmin III is v1.22 and it is using OpenSSL version 1.0.2f.Below is the info related to the vulnerability:Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable to use pgAdmin IV because it is having issues connection to Greenplum (it gives below error)ERROR: unrecognized configuration parameter "bytea_output"Can you please help with my below questions:1. I understand that pgAdmin III is not supported anymore, but because pgAdmin IV is relatively new and lot of people would be still using pgAdmin III, will a updated version of pgAdmin III released with latest version of OpenSSL be released?2. Can end users update the OpenSSL version themselves? I mean – Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin III v1.22.Is this workaround okay/allowed?Will this workaround create any issues in pgAdmin III?Please help, thanks in advance.Thanks,Sathesh
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
I'm going to try to do it this afternoon - things got a bit busy after PGConf.EU... On Thu, Nov 10, 2016 at 4:28 AM, Sathesh S <sathesh.sundaram@hotmail.com> wrote: > Hi Dave, > > By any chance will the updated pgadmin III get released by this weekend? > > Thanks, > Sathesh > > > > > On Tue, Nov 1, 2016 at 10:03 PM +0530, "Sathesh S" > <sathesh.sundaram@hotmail.com> wrote: > > Thanks Dave, it will be wonderful to have a updated final release. > > Thanks, > Sathesh > > > > > On Tue, Nov 1, 2016 at 2:36 PM +0530, "Dave Page" <dpage@pgadmin.org> wrote: > > Hi > > Based on feedback from existing users, I'm currently thinking I'll do a > final wrap-up release of community pgAdmin III next week (after PGConf.EU). > This will include the latest OpenSSL release. > > On Tuesday, November 1, 2016, Sathesh S <Sathesh.Sundaram@hotmail.com> > wrote: >> >> Hi Ben, >> >> >> >> Thanks for the information. I tried to install pgAdmin3 LTS version in my >> laptop but looks like there is no option to install it without installing >> PGC, even after installing PGC I’m not to install pgAdmin3 as the package is >> not available. >> >> >> >> If you have installed it, can you please tell what version of OpenSSL is >> used by pgAdmin3 LTS. >> >> >> >> Also, it would be helpful if you can advice on copying OpenSSL file from >> pgAdmin IV to pgAdmin III (question in my previous email) >> >> >> >> Thanks, >> >> Sathesh >> >> >> >> >> >> From: Ben Trewern >> Sent: Monday, October 31, 2016 5:43 PM >> To: Sathesh S >> Cc: pgadmin-support@postgresql.org >> Subject: Re: [pgadmin-support] OpenSSL Vulnerability in pgAdmin III >> >> >> >> Hi, >> >> For pgAdmin III it might be worth looking at >> http://www.bigsql.org/pgadmin3/. They are looking at updating and >> supporting pgAdmin III for a while longer. >> >> Regards, >> >> Ben >> >> >> On 31 Oct 2016, at 04:43, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote: >> >> >> Hello All, >> >> We use pgAdmin III to connect to Greenplum database. We had recently found >> out from our vulnerability team that pgAdmin III uses OpenSSL version before >> 1.0.2h which has the below vulnerability. >> >> OpenSSL version before 1.0.1t & 1.0.2h has vulnerabilities. And pgAdmin 3 >> is using a vulnerable version of OpenSSL. >> >> The latest version in pgAdmin III is v1.22 and it is using OpenSSL version >> 1.0.2f. >> >> Below is the info related to the vulnerability: >> Overview: The X509_NAME_oneline function in crypto/x509/x509_obj.c in >> OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to >> obtain sensitive information from process stack memory or cause a denial of >> service (buffer over-read) via crafted EBCDIC ASN.1 data. >> >> Even though pgAdmin IV uses a OpenSSL version above 1.0.2h, we are unable >> to use pgAdmin IV because it is having issues connection to Greenplum (it >> gives below error) >> >> ERROR: unrecognized configuration parameter "bytea_output" >> >> Can you please help with my below questions: >> >> 1. I understand that pgAdmin III is not supported anymore, but >> because pgAdmin IV is relatively new and lot of people would be still using >> pgAdmin III, will a updated version of pgAdmin III released with latest >> version of OpenSSL be released? >> >> 2. Can end users update the OpenSSL version themselves? I mean – >> Since pgAdmin IV is using OpenSSL 1.0.2h, can we copy this file to pgAdmin >> III v1.22. >> Is this workaround okay/allowed? >> Will this workaround create any issues in pgAdmin III? >> >> Please help, thanks in advance. >> >> Thanks, >> Sathesh >> >> > > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EnterpriseDB UK: http://www.enterprisedb.com > The Enterprise PostgreSQL Company > -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company