Good to hear on OpenSSL 1.0.1j. I eagerly await the update.
Regarding the Open SSL in PostgreSQL, SSL is kept disabled state by default. We never enable it as both the server and DB are on the same machine. Since both the server service and DB are running on the same machine, there isn't any need for the secure transfer between these two hence we disabled it. Hence you needn't worry about the OpenSSL version which is bundled with PostgreSQL.This is VERY good information. But, may I make some suggestions on the matter.
1) If OpenSSL isn't used or needed in PostgreSQL, then I would recommend:
a. Completely remove it from the directory (if
that doesn't adversely affect PostgresQL).
b. Keep it updated at the same time as you
update the OpenSSL in Apache. It's the same version tree, so it
shouldn't be too difficult to update (or to get PostgreSQL to update).
2) PostgreSQL is also using an older version, which has the
potential to be exploited. An update to PostgreSQL should also be
considered at your earliest possible convenience.
PostgreSQL OpenSSL TLS/DTLS Heartbeat Information Disclosure Vulnerabilities.
EnterpriseDB Corporation has acknowledged two vulnerabilities in PostgreSQL, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerabilities are caused due to a bundled vulnerable version of OpenSSL within the installer package.
For more information: SA57347
There are many companies out there
who are required to perform scans of their systems for PCI
Compliance, and are required to patch outdated and vulnerable
software or risk being out of compliance. Keeping insecure and
vulnerable components in Desktop Central can be very costly for such companies.
Some things to consider.