nessus also supports local checks on centos for patch levels? On Aug 11, 2013 3:04 PM, "Anumeha Prasad" anumeha.prasad@gmail.com wrote:
I understood when Stephen said "Don't trust nessus scans" as I had also mentioned in thi thread. Just that someone also mentioned in this thread that "Nessus should not in general be ignored". Simply wanted to double check that before arriving at a conclusion.
Thanks
On Thu, Aug 8, 2013 at 2:24 PM, Alexander Dalloz ad+lists@uni-x.org wrote:
Am 08.08.2013 09:04, schrieb Anumeha Prasad:
Thanks for the update.
I'd updated most of my rpms to CentOS 5.9. I'd even updated openssl to openssl-0.9.8e-22.el5_8.4 (though now the latest is version is openssl-0.9.8e-26.el5_9.1). My concern is that even upgrading
openssl
to
version openssl-0.9.8e-26.el5_9.1 might not solve my problem. This is because the fix for vulnerability "SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection" was backported to openssl-0.9.8e-12.el5_4.6
as
per article:
Sorry to say, but so far you fail to clearly understand that a tool like nessus just looks at the version tag it can get. It cannot see that the fix backported by Red Hat is incorporated into an openssl release which does not have this fix in upstream at the same version.
That's why Stephen earlier said "Don't trust nessus scans". But you can trust what Red Hat publishes in their errata reports and CVE database.
Alexander
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos