Regarding the Open SSL in PostgreSQL, SSL is kept disabled state by default. We never enable it as both the server and DB are on the same machine. Since both the server service and DB are    running    on the same machine, there isn't any need for the secure transfer between these two hence we disabled it.  Hence you needn't worry about the OpenSSL version which is bundled with PostgreSQL. 

 

This is VERY good information. But, may I make some suggestions on the matter.

1) If OpenSSL isn't used or needed in PostgreSQL, then I would recommend:

      a. Completely remove it from the directory (if that doesn't adversely affect PostgresQL).

      b. Keep it updated at the same time as you update the OpenSSL in Apache. It's the same version tree, so it shouldn't be too difficult to update (or to get PostgreSQL to update).

2) PostgreSQL is also using an older version, which has the potential to be exploited. An update to PostgreSQL should also be considered at your earliest possible convenience. 

PostgreSQL OpenSSL TLS/DTLS Heartbeat Information Disclosure Vulnerabilities.

EnterpriseDB Corporation has acknowledged two vulnerabilities in PostgreSQL, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerabilities are caused due to a bundled vulnerable version of OpenSSL within the installer package.

For more information:  SA57347  

There are many companies out there who are required to perform scans of their systems for PCI Compliance, and are required to patch outdated and vulnerable software or risk being out of compliance. Keeping insecure and vulnerable components in Desktop Central can be very costly for such companies.

Some things to consider.