[pgpool-general: 2733] OpenSSL vulnerability
Tatsuo Ishii
ishii at postgresql.org
Tue Apr 8 20:44:42 JST 2014
Hi pgpool-II users,
OpenSSL vulnerability (http://heartbleed.com/) may affect you if you
are using pgpool-II built with OpenSSL enabled and turn on "ssl" in
your pgpool.conf.
To check if your pgpool was built with OpenSSL enabled or not, you can
use ldd command:
$ ldd /usr/local/bin/pgpool
[snip]
libssl.so.10 => /lib64/libssl.so.10 (0x00007f8ea9d1f000)
[snip]
As you can see this pgpool links libssl.so, which is the sign of using
OpenSSL. Then you want to check the OpenSSL version installed:
$ rpm -qa|grep -i openssl
openssl-devel-1.0.0l-1vl6.x86_64
ruby-openssl-1.8.7.374-2vl6.x86_64
openssl098-0.9.8r-1vl6.x86_64
pyOpenSSL-0.7-3vl6.x86_64
compat32-openssl-1.0.0l-1vl6.i686
openssl-1.0.0l-1vl6.x86_64
I'm using openssl-1.0.0, which is SAFE (OpenSSL 1.0.1 through 1.0.1f
(inclusive) are vulnerable).
If you have vulnerable versions of OpenSSL, you should immediately
upgrade to a fixed version. Or turn off SSL setting in pgpool.conf:
ssl = off
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese: http://www.sraoss.co.jp
More information about the pgpool-general
mailing list