[pgpool-general: 2733] OpenSSL vulnerability

[Tatsuo Ishii]

Hi pgpool-II users,

OpenSSL vulnerability (http://heartbleed.com/) may affect you if you
are using pgpool-II built with OpenSSL enabled and turn on "ssl" in
your pgpool.conf.

To check if your pgpool was built with OpenSSL enabled or not, you can
use ldd command:

$ ldd /usr/local/bin/pgpool
[snip]

	libssl.so.10 => /lib64/libssl.so.10 (0x00007f8ea9d1f000)

[snip]

As you can see this pgpool links libssl.so, which is the sign of using
OpenSSL. Then you want to check the OpenSSL version installed:

$ rpm -qa|grep -i openssl
openssl-devel-1.0.0l-1vl6.x86_64
ruby-openssl-1.8.7.374-2vl6.x86_64
openssl098-0.9.8r-1vl6.x86_64
pyOpenSSL-0.7-3vl6.x86_64
compat32-openssl-1.0.0l-1vl6.i686
openssl-1.0.0l-1vl6.x86_64

I'm using openssl-1.0.0, which is SAFE (OpenSSL 1.0.1 through 1.0.1f
(inclusive) are vulnerable).

If you have vulnerable versions of OpenSSL, you should immediately
upgrade to a fixed version. Or turn off SSL setting in pgpool.conf:

ssl = off

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese: http://www.sraoss.co.jp