Openssl的某些版本报的一些心跳扩展包的处理漏洞, 如下 :
CVE-2014-0160 |
Learn more at National Vulnerability Database (NVD) ? Severity Rating ? Fix Information ? Vulnerable Software Versions ? SCAP Mappings |
| Description | |
|---|---|
| The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. | |
可能导致敏感信息被攻击者获取.
如果在你的pg中使用了openssl相关的认证, 数据加密. 那么请尽快更新openssl版本, 影响的版本如下.
CVE-2014-0160: 7th April 2014A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1. Reported by Neel Mehta.Fixed in OpenSSL 1.0.1g (Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
在PostgreSQL中使用openssl加密的文章可参考 :
http://blog.163.com/digoal@126/blog/static/163877040201342233131835
http://blog.163.com/digoal@126/blog/static/1638770402013423101455507
检测PostgreSQL是否受到此漏洞影响, 可参考如下 :
http://michael.otacoo.com/postgresql-2/testing-heartbleed-on-postgres/
[参考]
1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
2. http://www.openssl.org/news/vulnerabilities.html
3. http://blog.hagander.net/archives/219-PostgreSQL-and-the-OpenSSL-Heartbleed-vulnerability.html
4. PostgreSQL 用到openssl库的地方.
configure:#include <openssl/ssl.h>
configure:#include <openssl/ssl.h>
configure:#include <openssl/err.h>
configure:#include <openssl/err.h>
contrib/sslinfo/sslinfo.c:#include <openssl/x509.h>
contrib/sslinfo/sslinfo.c:#include <openssl/asn1.h>
contrib/pgcrypto/openssl.c:#include <openssl/evp.h>
contrib/pgcrypto/openssl.c:#include <openssl/blowfish.h>
contrib/pgcrypto/openssl.c:#include <openssl/cast.h>
contrib/pgcrypto/openssl.c:#include <openssl/des.h>
contrib/pgcrypto/openssl.c:#include <openssl/rand.h>
contrib/pgcrypto/openssl.c:#include <openssl/err.h>
contrib/pgcrypto/openssl.c:#include <openssl/aes.h>
contrib/pgcrypto/pgp-mpi-openssl.c:#include <openssl/bn.h>
doc/src/sgml/libpq.sgml:#include <openssl/ssl.h>
doc/src/sgml/html/libpq-status.html:#include <openssl/ssl.h>
src/interfaces/libpq/fe-secure.c:#include <openssl/ssl.h>
src/interfaces/libpq/fe-secure.c:#include <openssl/conf.h>
src/interfaces/libpq/fe-secure.c:#include <openssl/engine.h>
src/interfaces/libpq/libpq-int.h:#include <openssl/ssl.h>
src/interfaces/libpq/libpq-int.h:#include <openssl/err.h>
src/tools/msvc/Solution.pm: $proj->AddIncludeDir($self->{options}->{openssl} . '\include');
src/include/pg_config.h.win32:/* Define to build with (Open)SSL support. (--with-openssl) */
src/include/pg_config.h:/* Define to build with (Open)SSL support. (--with-openssl) */
src/include/libpq/libpq-be.h:#include <openssl/ssl.h>
src/include/libpq/libpq-be.h:#include <openssl/err.h>
src/include/pg_config.h.in:/* Define to build with (Open)SSL support. (--with-openssl) */
src/bin/psql/command.c:#include <openssl/ssl.h>
src/backend/postmaster/fork_process.c:#include <openssl/rand.h>
src/backend/libpq/auth.c:#include <openssl/rand.h>
src/backend/libpq/be-secure.c:#include <openssl/ssl.h>
src/backend/libpq/be-secure.c:#include <openssl/dh.h>
src/backend/libpq/be-secure.c:#include <openssl/conf.h>