Thank You.
"Support for RFC 5746 in OpenSSL was introduced upstream in version 0.9.8m" mentioned in the Redhat article made me think that I would require this version. Stephen, as per what you explained, I should be fine with openssl-0.9.8e-22.el5. Right? So, can the vulnerability reported by Nessus scanner ignored?
On Tue, Aug 6, 2013 at 4:20 PM, Stephen Harris lists@spuddy.org wrote:
On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote:
Hi,
I'm currently at CentOS 5.8. I'm using openssl version openssl-0.9.8e-22.el5. The following vulnerability was reported by a
Nessus
security scan:
Don't trust Nessus scans
As per following link, Redhat has introduced openssl-0.9.8m which fixes this specific issue:
https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_suppor...
If you follow that link it points to https://rhn.redhat.com/errata/RHSA-2010-0162.html(openssl-0.9.8e-12.el5_4.6) as having the fix.
Which is superceded by https://rhn.redhat.com/errata/RHSA-2013-0587.html(openssl-0.9.8e-26.el5_9.1)
The version numbers reported by RedHat do not always match the version numbers reported by upstream because RedHat backports fixes into older versions.
According to the very pages you linked to, the flaw has been addressed by RedHat in the 0.9.8e-12 and newer packages.
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos