On 06/06/2014 07:16 AM, Inoue, Hiroshi wrote:
> All package files at http://www.postgresql.org/ftp/odbc/versions
> /msi(mm or dll) may contain old openssl dlls. If the dlls are so
> risky, shoudn't we remove the package files?
Well, you're only at risk if you use SSL. Old versions can be very
useful for debugging. If an application used to work correctly with an
old version, but doesn't with a new version, it's very useful to try all
the versions in between to see which exact version broke it.
It would be good to add a notice to the download page though:
NOTE: Old installers contain old versions of the OpenSSL and libpq
libraries, which contain known security vulnerabilities. They are here
for reference purposes only. For production use, always use the latest
version.
- Heikki