Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qBl9L-0004ik-9s for pgsql-odbc@arkaria.postgresql.org; Tue, 20 Jun 2023 23:52:39 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1qBl9J-0003eV-O4 for pgsql-odbc@arkaria.postgresql.org; Tue, 20 Jun 2023 23:52:37 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qBl9J-0003eM-Go for pgsql-odbc@lists.postgresql.org; Tue, 20 Jun 2023 23:52:37 +0000 Received: from mail-ej1-x635.google.com ([2a00:1450:4864:20::635]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qBl9H-003KQk-1A for pgsql-odbc@postgresql.org; Tue, 20 Jun 2023 23:52:36 +0000 Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-98bcc533490so23858366b.0 for ; Tue, 20 Jun 2023 16:52:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687305153; x=1689897153; h=cc:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=+1RHSA4wZwasnBuWBc3OrdccRVDsrHuMvfXYeR3ABy0=; b=UgiD9Vfeh6+trSfDAvFZIoa6UpAfFeo+KpKWguZ46kY4q5B+I4uVy7ufNEoYHwIX7P DsoSTtat8AK4ZxQTnhTTWt60EI1xnO0hTice1xd02mp+CS0PI3CcnTQExOrcDX87vO3J ZippZZ9baWjkcAQMrYd+Y24vaS0Pfg2uGFntYRfZQ6n8sc4tMQqkwlRYdkiOvHOc6LSa FS+SdIFe2qbMlPKvg7g9tZcNqtgtDsm1fNOhH9xGtV0pqapTQZvtwAcAFwOtZ5Zg0QoI QorFZgNBOX207qMxAcrdJt300j4Hu6RWhNw61qs81G1lx0YSd4OIgoWSrM+aDov72lMy Rsig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687305153; x=1689897153; h=cc:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+1RHSA4wZwasnBuWBc3OrdccRVDsrHuMvfXYeR3ABy0=; b=TdRTOhrDocgLDvmonpU6HLtLmhS8ObS+d+ydL3lkx5fUH68Oef+4GfQtvtsB/MfT2H T+RNSLLkBV7HRRmYPFdpccsV2wZji/S2RC4EC2UCdqLg514N2Hy6W4UtdSFCrxuSv/QH 8znElbiLYZZJ23AOkFuBpxQ0aYEKO203pNzXDYKfcL8/xf8TNr2QgVoTBU731TTTXl99 29Xa/jJWfSQQDnUzV1TdmXKJJY3eQvBJtX37FfVt8Vvw7aNnrWi8Oz3QBzzbtS83AjLt XCGx8sDhiJw8xqE+4PaMtgoxaKy+jjgjvIs9A6hk7bcAXJjn86kZjCFQQnZZqVDPHPWq fDeQ== X-Gm-Message-State: AC+VfDy4vlk3ZPYlRMll1PaO/jlvZgiZx3LrTk8X+OBI3twiqc6+4yVN LzS9/PPeCnv4wKF1Om7p+mD2m27dE5Vdj6RFIe7fKN5/Rr8= X-Google-Smtp-Source: ACHHUZ6MJovFYPvag5gHLQOZcLjvibt7e4Sm/cArDTBWGzTIMTe2I5KtVpedhTqTOsQaGboN28yOwD3DFoINk+ySEyI= X-Received: by 2002:a17:907:7f13:b0:988:74eb:b6d8 with SMTP id qf19-20020a1709077f1300b0098874ebb6d8mr6774875ejc.51.1687305153092; Tue, 20 Jun 2023 16:52:33 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "Inoue,Hiroshi" Date: Wed, 21 Jun 2023 08:52:20 +0900 Message-ID: Subject: Re: psqlODBC drivers 13.2 flagged to be vulnerable for openssl 1.1.1l vulnerabilities Cc: "pgsql-odbc@postgresql.org" Content-Type: multipart/alternative; boundary="0000000000004720ff05fe985889" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000004720ff05fe985889 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Miloslav, Sorry for the late reply. We will make a new release in a few days. Openssl 3.0.9 version will be used in the release. regards, Hiroshi Inoue 2023=E5=B9=B46=E6=9C=8814=E6=97=A5(=E6=B0=B4) 23:11 Miloslav Zadrazil : > Hello, > > > > We use your ODBC drivers in our product. During security scans we have > received warning related to content of psqlODBC 13.2 driver package. > > It is flagged to contains OpenSSL 1.1.1lversion vulnerable for > CVE-2021-4160, CVE-2022-0778, CVE-2022-2097, CVE-2022-4304, CVE-2022-4450= , > CVE-2023-0215, CVE-2023-0286 exposures. > > > > We must deliver vulnerability analysis to our customers. Can you, please, > confirm that ODBC drivers in version 13.2 are not affected by those > exposures ? > > > > Are there any plans to release additional ODBC driver=E2=80=99s version > considering the fact that openssl 1.x versions are going to be EOF on > September 11, 2023 ? > > > > Many thanks > > > > Best Regards > > > > Miloslav Zadrazil > --0000000000004720ff05fe985889 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Miloslav,

Sorry for the late reply.<= /div>
We will make a new release=C2=A0in a few days.
Openssl= =C2=A03.0.9 version will be used in the release.

r= egards,
Hiroshi Inoue

<= div dir=3D"ltr" class=3D"gmail_attr">2023=E5=B9=B46=E6=9C=8814=E6=97=A5(=E6= =B0=B4) 23:11 Miloslav Zadrazil <Miloslav.Zadrazil@solarwinds.com>:

Hello,

=C2=A0

We use your ODBC drivers in our product. During secu= rity scans we have received warning related to content of psqlODBC 13.2 dri= ver package.

It is flagged to contains OpenSSL 1.1.1lversion vuln= erable for CVE-2021-4160, CVE-2022-0778, CVE-2022-2097, CVE-2022-4304, CVE-= 2022-4450, CVE-2023-0215, CVE-2023-0286 exposures.

=C2=A0

We must deliver vulnerability analysis to our custom= ers. Can you, please, confirm that ODBC drivers in version 13.2 are not aff= ected by those exposures ?

=C2=A0

Are there any plans to release additional ODBC drive= r=E2=80=99s version considering the fact that openssl 1.x versions are goin= g to be EOF on September 11, 2023 ? =C2=A0

=C2=A0

Many thanks

=C2=A0

Best Regards

=C2=A0

Miloslav Zadrazil

--0000000000004720ff05fe985889--