Thanks for the update.
I'd updated most of my rpms to CentOS 5.9. I'd even updated openssl to openssl-0.9.8e-22.el5_8.4 (though now the latest is version is openssl-0.9.8e-26.el5_9.1). My concern is that even upgrading openssl to version openssl-0.9.8e-26.el5_9.1 might not solve my problem. This is because the fix for vulnerability "SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection" was backported to openssl-0.9.8e-12.el5_4.6 as per article:
https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_suppor...
In link https://access.redhat.com/security/updates/backporting/?sc_cid=3093you shared, I found "some security scanning and auditing tools make decisions about vulnerabilities based solely on the version number of components they find. This results in false positives as the tools do not take into account backported security fixes."
This might be the reason for reported vulnerability. Or, there might be some configuration changes that I need to make on my server, but not sure of that.
On Tue, Aug 6, 2013 at 11:01 PM, Denniston, Todd A CIV NAVSURFWARCENDIV Crane todd.denniston@navy.mil wrote:
No, Nessus should not in general be ignored. _My_ *personal* experience has been that if Nessus is reporting a PACKAGE out of date on CentOS, then it IS out of date [the patch and CESA has been released by the CentOS team].
As has been indicated earlier in the thread you need to update your system for ALL the security issues[1] (which don't break the operation of the system), because you are running CentOS 5.8 [with no updates presumably[2]]. You might be misunderstanding the purpose point releases[3].
Can you tell us *why* you are forcing your machine to be stuck at a particular point release? It is generally bad practice to not install the updates, at least after testing on a test rig that represents your deployed machine. If you were up-to-date then this "PCI audit" [4] info on the wiki might apply to your situation.
Perhaps you should read these http://www.redhat.com/advice/speaks_backport.html https://access.redhat.com/security/updates/backporting/?sc_cid=3093
and skim these https://www.centos.org/modules/newbb/viewtopic.php?topic_id=16723 http://www.centos.org/modules/newbb/viewtopic.php?topic_id=33190&forum=1 4
[1] try googling, with a limiter of in the last year, for: CESA +"CentOS 5" site:lists.centos.org/pipermail/centos-announce/ These will point to most of the security updates for "CentOS 5", which you may not have applied.
[2]... to confirm you really are running with no/very few 5.9 updates you could run rpm -qa --last *release* which will tell you what release the machine thinks it is at. And then look at rpm -qa --last |less to see what if anything has been updated since a few *days* after the release.
[3] http://wiki.centos.org/FAQ/General#head-6e2c3746ec45ac3142917466760321e8 68f43c0e
[4] http://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b0 96cbff2f
Even when this disclaimer is not here: I am not a contracting officer. I do not have authority to make or modify the terms of any contract.
-----Original Message----- From: Anumeha Prasad [mailto:anumeha.prasad@gmail.com] Sent: Tuesday, August 06, 2013 7:18 To: CentOS mailing list Subject: Re: [CentOS] Openssl vulnerability - SSL/ TLS Renegotion Handshakes
Thank You.
"Support for RFC 5746 in OpenSSL was introduced upstream in version 0.9.8m" mentioned in the Redhat article made me think that I would require
this
version. Stephen, as per what you explained, I should be fine with openssl-0.9.8e-22.el5. Right? So, can the vulnerability reported by Nessus scanner ignored?
On Tue, Aug 6, 2013 at 4:20 PM, Stephen Harris lists@spuddy.org wrote:
On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote:
Hi,
I'm currently at CentOS 5.8. I'm using openssl version openssl-0.9.8e-22.el5. The following vulnerability was reported by
a
Nessus
security scan:
Don't trust Nessus scans
As per following link, Redhat has introduced openssl-0.9.8m which
fixes
this specific issue:
https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_s
upport
If you follow that link it points to https://rhn.redhat.com/errata/RHSA-2010-0162.html(openssl-0.9.8e-
12.el5_4.6)
as having the fix.
Which is superceded by https://rhn.redhat.com/errata/RHSA-2013-0587.html(openssl-0.9.8e-
26.el5_9.1)
The version numbers reported by RedHat do not always match the
version
numbers reported by upstream because RedHat backports fixes into
older
versions.
According to the very pages you linked to, the flaw has been
addressed
by RedHat in the 0.9.8e-12 and newer packages.
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos