No, Nessus should not in general be ignored. _My_ *personal* experience has been that if Nessus is reporting a PACKAGE out of date on CentOS, then it IS out of date [the patch and CESA has been released by the CentOS team].
As has been indicated earlier in the thread you need to update your system for ALL the security issues[1] (which don't break the operation of the system), because you are running CentOS 5.8 [with no updates presumably[2]]. You might be misunderstanding the purpose point releases[3].
Can you tell us *why* you are forcing your machine to be stuck at a particular point release? It is generally bad practice to not install the updates, at least after testing on a test rig that represents your deployed machine. If you were up-to-date then this "PCI audit" [4] info on the wiki might apply to your situation.
Perhaps you should read these http://www.redhat.com/advice/speaks_backport.html https://access.redhat.com/security/updates/backporting/?sc_cid=3093
and skim these https://www.centos.org/modules/newbb/viewtopic.php?topic_id=16723 http://www.centos.org/modules/newbb/viewtopic.php?topic_id=33190&forum=1 4
[1] try googling, with a limiter of in the last year, for: CESA +"CentOS 5" site:lists.centos.org/pipermail/centos-announce/ These will point to most of the security updates for "CentOS 5", which you may not have applied.
[2]... to confirm you really are running with no/very few 5.9 updates you could run rpm -qa --last *release* which will tell you what release the machine thinks it is at. And then look at rpm -qa --last |less to see what if anything has been updated since a few *days* after the release.
[3] http://wiki.centos.org/FAQ/General#head-6e2c3746ec45ac3142917466760321e8 68f43c0e
[4] http://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b0 96cbff2f
Even when this disclaimer is not here: I am not a contracting officer. I do not have authority to make or modify the terms of any contract.
-----Original Message----- From: Anumeha Prasad [mailto:anumeha.prasad@gmail.com] Sent: Tuesday, August 06, 2013 7:18 To: CentOS mailing list Subject: Re: [CentOS] Openssl vulnerability - SSL/ TLS Renegotion Handshakes
Thank You.
"Support for RFC 5746 in OpenSSL was introduced upstream in version 0.9.8m" mentioned in the Redhat article made me think that I would require
this
version. Stephen, as per what you explained, I should be fine with openssl-0.9.8e-22.el5. Right? So, can the vulnerability reported by Nessus scanner ignored?
On Tue, Aug 6, 2013 at 4:20 PM, Stephen Harris lists@spuddy.org wrote:
On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote:
Hi,
I'm currently at CentOS 5.8. I'm using openssl version openssl-0.9.8e-22.el5. The following vulnerability was reported by
a
Nessus
security scan:
Don't trust Nessus scans
As per following link, Redhat has introduced openssl-0.9.8m which
fixes
this specific issue:
https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_s
upport
If you follow that link it points to https://rhn.redhat.com/errata/RHSA-2010-0162.html(openssl-0.9.8e-
12.el5_4.6)
as having the fix.
Which is superceded by https://rhn.redhat.com/errata/RHSA-2013-0587.html(openssl-0.9.8e-
26.el5_9.1)
The version numbers reported by RedHat do not always match the
version
numbers reported by upstream because RedHat backports fixes into
older
versions.
According to the very pages you linked to, the flaw has been
addressed
by RedHat in the 0.9.8e-12 and newer packages.
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos