On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote:
Hi,
I'm currently at CentOS 5.8. I'm using openssl version openssl-0.9.8e-22.el5. The following vulnerability was reported by a Nessus security scan:
Don't trust Nessus scans
As per following link, Redhat has introduced openssl-0.9.8m which fixes this specific issue:
https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_suppor...
If you follow that link it points to https://rhn.redhat.com/errata/RHSA-2010-0162.html (openssl-0.9.8e-12.el5_4.6) as having the fix.
Which is superceded by https://rhn.redhat.com/errata/RHSA-2013-0587.html (openssl-0.9.8e-26.el5_9.1)
The version numbers reported by RedHat do not always match the version numbers reported by upstream because RedHat backports fixes into older versions.
According to the very pages you linked to, the flaw has been addressed by RedHat in the 0.9.8e-12 and newer packages.