1) X:\ManageEngine\DesktopCentral_Server\apache\bin\openssl.exe,
libeay32.dll, ssleay32.dll using vulnerable version 1.0.1i instead of
patched 1.0.1j. What is Desktop Central's procedure to update
OpenSSL when vulnerable versions are discovered and updates to OpenSSL
are released?
2) X:\ManageEngine\DesktopCentral_Server\pgsql is using an older potentially vulnerable version of PostgreSQL (9.2.4.13091) [http://secunia.com/advisories/57974] and a very old and very vulnerable version of OpenSSL (1.0.1c) packaged with PostgreSQL. What is the proper procedure to upgrade PostgreSQL and the included severely outdated OpenSSL in that directory? NOTE: I checked on Postgre's site, and while their previous releases were in .zip format for possible extraction and copy/paste of updated files/components, their current updates are only in installable .exe format to download which don't seem to be available to extract without installing.
3) What is the procedure in Desktop Central to protect against the newly discovered POODLE vulnerability, as well as older SSLv3 vulnerabilities, in Apache (and any other services/components that utilize SSLv3)? In X:\ManageEngine\DesktopCentral_Server\apache\conf\httpd-ssl.conf > I have tried changing (SSLProtocol all) to (SSLProtocol -ALL +TLSv1) and (SSLProtocol +TLSv1) but the httpd-ssl.conf file keeps being overwritten/reverted back by Desktop Central. What is the procedure to make this change permenant or any other viable ways to completely disable SSLv3 from Apache as well as any other affected/vulnerable components that may use it?
2) X:\ManageEngine\DesktopCentral_Server\pgsql is using an older potentially vulnerable version of PostgreSQL (9.2.4.13091) [http://secunia.com/advisories/57974] and a very old and very vulnerable version of OpenSSL (1.0.1c) packaged with PostgreSQL. What is the proper procedure to upgrade PostgreSQL and the included severely outdated OpenSSL in that directory? NOTE: I checked on Postgre's site, and while their previous releases were in .zip format for possible extraction and copy/paste of updated files/components, their current updates are only in installable .exe format to download which don't seem to be available to extract without installing.
3) What is the procedure in Desktop Central to protect against the newly discovered POODLE vulnerability, as well as older SSLv3 vulnerabilities, in Apache (and any other services/components that utilize SSLv3)? In X:\ManageEngine\DesktopCentral_Server\apache\conf\httpd-ssl.conf > I have tried changing (SSLProtocol all) to (SSLProtocol -ALL +TLSv1) and (SSLProtocol +TLSv1) but the httpd-ssl.conf file keeps being overwritten/reverted back by Desktop Central. What is the procedure to make this change permenant or any other viable ways to completely disable SSLv3 from Apache as well as any other affected/vulnerable components that may use it?