When the database server or libpq client library initializes SSL, libeay32.dll attempts to read configuration from a hard-coded directory. Typically, the directory does not exist, but any local user could create it and inject configuration. This configuration can direct OpenSSL to load and execute arbitrary code as the user running a PostgreSQL server or client. Most PostgreSQL client tools and libraries use libpq, and one can encounter this vulnerability by using any of them. This vulnerability is much like CVE-2019-5443, but it originated independently. One can work around the vulnerability by setting environment variable OPENSSL_CONF to "NUL:/openssl.cnf" or any other name that cannot exist as a file.
Acknowledgments: Name: the PostgreSQL project Upstream: Daniel Gustafsson (Curl security team)
Created mingw-postgresql tracking bugs for this issue: Affects: epel-7 [bug 1739216] Affects: fedora-all [bug 1739210] Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 1739213]
External References: https://www.postgresql.org/about/news/1960/