Quantcast
Channel: Support Portal
Viewing all articles
Browse latest Browse all 1466

Re : What is the recommended procedure to update outdated/vulnerable Desktop Central components?

$
0
0
Good to hear on OpenSSL 1.0.1j. I eagerly await the update.


Regarding the Open SSL in PostgreSQL, SSL is kept disabled state by default. We never enable it as both the server and DB are on the same machine. Since both the server service and DB are    running    on the same machine, there isn't any need for the secure transfer between these two hence we disabled it.  Hence you needn't worry about the OpenSSL version which is bundled with PostgreSQL. 
 
This is VERY good information. But, may I make some suggestions on the matter.

1) If OpenSSL isn't used or needed in PostgreSQL, then I would recommend:
      a. Completely remove it from the directory (if that doesn't adversely affect PostgresQL).
      b. Keep it updated at the same time as you update the OpenSSL in Apache. It's the same version tree, so it shouldn't be too difficult to update (or to get PostgreSQL to update).

2) PostgreSQL is also using an older version, which has the potential to be exploited. An update to PostgreSQL should also be considered at your earliest possible convenience. 


PostgreSQL OpenSSL TLS/DTLS Heartbeat Information Disclosure Vulnerabilities.

EnterpriseDB Corporation has acknowledged two vulnerabilities in PostgreSQL, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerabilities are caused due to a bundled vulnerable version of OpenSSL within the installer package.

For more information:  SA57347  
There are many companies out there who are required to perform scans of their systems for PCI Compliance, and are required to patch outdated and vulnerable software or risk being out of compliance. Keeping insecure and vulnerable components in Desktop Central can be very costly for such companies.

Some things to consider.


Viewing all articles
Browse latest Browse all 1466

Trending Articles