Hi,
I'm currently at CentOS 5.8. I'm using openssl version openssl-0.9.8e-22.el5. The following vulnerability was reported by a Nessus security scan:
"SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection"
As per following link, Redhat has introduced openssl-0.9.8m which fixes this specific issue:
https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_suppor...
I created rpm for openssl-0.9.8m using tarball and when I tried to install it, I got "libssl.so.6()(64bit) is needed by <rpm name>" errors which would be solved by installing openssl098e rpm. This rpm is a part of CentOS 6 and so I can't install it.
Do we have openssl-0.9.8m or higher rpm available for CentOS 5? Or any other way I could resolve errors "libssl.so.6()(64bit) is needed by <rpm name>"? Or any suggestions on the mentioned "SSL/ TLS Renegotion Handshakes" vulnerability?
Thanks, Anumeha
On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote:
Hi,
I'm currently at CentOS 5.8. I'm using openssl version
Current is 5.9. Update.
openssl-0.9.8e-22.el5. The following vulnerability was reported by a Nessus
Current openssl is 0.9.8e-26. Again.... update.
John
On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote:
Hi,
I'm currently at CentOS 5.8. I'm using openssl version openssl-0.9.8e-22.el5. The following vulnerability was reported by a Nessus security scan:
Don't trust Nessus scans
As per following link, Redhat has introduced openssl-0.9.8m which fixes this specific issue:
https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_suppor...
If you follow that link it points to https://rhn.redhat.com/errata/RHSA-2010-0162.html (openssl-0.9.8e-12.el5_4.6) as having the fix.
Which is superceded by https://rhn.redhat.com/errata/RHSA-2013-0587.html (openssl-0.9.8e-26.el5_9.1)
The version numbers reported by RedHat do not always match the version numbers reported by upstream because RedHat backports fixes into older versions.
According to the very pages you linked to, the flaw has been addressed by RedHat in the 0.9.8e-12 and newer packages.
Thank You.
"Support for RFC 5746 in OpenSSL was introduced upstream in version 0.9.8m" mentioned in the Redhat article made me think that I would require this version. Stephen, as per what you explained, I should be fine with openssl-0.9.8e-22.el5. Right? So, can the vulnerability reported by Nessus scanner ignored?
On Tue, Aug 6, 2013 at 4:20 PM, Stephen Harris lists@spuddy.org wrote:
On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote:
Hi,
I'm currently at CentOS 5.8. I'm using openssl version openssl-0.9.8e-22.el5. The following vulnerability was reported by a
Nessus
security scan:
Don't trust Nessus scans
As per following link, Redhat has introduced openssl-0.9.8m which fixes this specific issue:
https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_suppor...
If you follow that link it points to https://rhn.redhat.com/errata/RHSA-2010-0162.html(openssl-0.9.8e-12.el5_4.6) as having the fix.
Which is superceded by https://rhn.redhat.com/errata/RHSA-2013-0587.html(openssl-0.9.8e-26.el5_9.1)
The version numbers reported by RedHat do not always match the version numbers reported by upstream because RedHat backports fixes into older versions.
According to the very pages you linked to, the flaw has been addressed by RedHat in the 0.9.8e-12 and newer packages.
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
No, Nessus should not in general be ignored. _My_ *personal* experience has been that if Nessus is reporting a PACKAGE out of date on CentOS, then it IS out of date [the patch and CESA has been released by the CentOS team].
As has been indicated earlier in the thread you need to update your system for ALL the security issues[1] (which don't break the operation of the system), because you are running CentOS 5.8 [with no updates presumably[2]]. You might be misunderstanding the purpose point releases[3].
Can you tell us *why* you are forcing your machine to be stuck at a particular point release? It is generally bad practice to not install the updates, at least after testing on a test rig that represents your deployed machine. If you were up-to-date then this "PCI audit" [4] info on the wiki might apply to your situation.
Perhaps you should read these http://www.redhat.com/advice/speaks_backport.html https://access.redhat.com/security/updates/backporting/?sc_cid=3093
and skim these https://www.centos.org/modules/newbb/viewtopic.php?topic_id=16723 http://www.centos.org/modules/newbb/viewtopic.php?topic_id=33190&forum=1 4
[1] try googling, with a limiter of in the last year, for: CESA +"CentOS 5" site:lists.centos.org/pipermail/centos-announce/ These will point to most of the security updates for "CentOS 5", which you may not have applied.
[2]... to confirm you really are running with no/very few 5.9 updates you could run rpm -qa --last *release* which will tell you what release the machine thinks it is at. And then look at rpm -qa --last |less to see what if anything has been updated since a few *days* after the release.
[3] http://wiki.centos.org/FAQ/General#head-6e2c3746ec45ac3142917466760321e8 68f43c0e
[4] http://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b0 96cbff2f
Even when this disclaimer is not here: I am not a contracting officer. I do not have authority to make or modify the terms of any contract.
-----Original Message----- From: Anumeha Prasad [mailto:anumeha.prasad@gmail.com] Sent: Tuesday, August 06, 2013 7:18 To: CentOS mailing list Subject: Re: [CentOS] Openssl vulnerability - SSL/ TLS Renegotion Handshakes
Thank You.
"Support for RFC 5746 in OpenSSL was introduced upstream in version 0.9.8m" mentioned in the Redhat article made me think that I would require
this
version. Stephen, as per what you explained, I should be fine with openssl-0.9.8e-22.el5. Right? So, can the vulnerability reported by Nessus scanner ignored?
On Tue, Aug 6, 2013 at 4:20 PM, Stephen Harris lists@spuddy.org wrote:
On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote:
Hi,
I'm currently at CentOS 5.8. I'm using openssl version openssl-0.9.8e-22.el5. The following vulnerability was reported by
a
Nessus
security scan:
Don't trust Nessus scans
As per following link, Redhat has introduced openssl-0.9.8m which
fixes
this specific issue:
https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_s
upport
If you follow that link it points to https://rhn.redhat.com/errata/RHSA-2010-0162.html(openssl-0.9.8e-
12.el5_4.6)
as having the fix.
Which is superceded by https://rhn.redhat.com/errata/RHSA-2013-0587.html(openssl-0.9.8e-
26.el5_9.1)
The version numbers reported by RedHat do not always match the
version
numbers reported by upstream because RedHat backports fixes into
older
versions.
According to the very pages you linked to, the flaw has been
addressed
by RedHat in the 0.9.8e-12 and newer packages.
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thanks for the update.
I'd updated most of my rpms to CentOS 5.9. I'd even updated openssl to openssl-0.9.8e-22.el5_8.4 (though now the latest is version is openssl-0.9.8e-26.el5_9.1). My concern is that even upgrading openssl to version openssl-0.9.8e-26.el5_9.1 might not solve my problem. This is because the fix for vulnerability "SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection" was backported to openssl-0.9.8e-12.el5_4.6 as per article:
https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_suppor...
In link https://access.redhat.com/security/updates/backporting/?sc_cid=3093you shared, I found "some security scanning and auditing tools make decisions about vulnerabilities based solely on the version number of components they find. This results in false positives as the tools do not take into account backported security fixes."
This might be the reason for reported vulnerability. Or, there might be some configuration changes that I need to make on my server, but not sure of that.
On Tue, Aug 6, 2013 at 11:01 PM, Denniston, Todd A CIV NAVSURFWARCENDIV Crane todd.denniston@navy.mil wrote:
No, Nessus should not in general be ignored. _My_ *personal* experience has been that if Nessus is reporting a PACKAGE out of date on CentOS, then it IS out of date [the patch and CESA has been released by the CentOS team].
As has been indicated earlier in the thread you need to update your system for ALL the security issues[1] (which don't break the operation of the system), because you are running CentOS 5.8 [with no updates presumably[2]]. You might be misunderstanding the purpose point releases[3].
Can you tell us *why* you are forcing your machine to be stuck at a particular point release? It is generally bad practice to not install the updates, at least after testing on a test rig that represents your deployed machine. If you were up-to-date then this "PCI audit" [4] info on the wiki might apply to your situation.
Perhaps you should read these http://www.redhat.com/advice/speaks_backport.html https://access.redhat.com/security/updates/backporting/?sc_cid=3093
and skim these https://www.centos.org/modules/newbb/viewtopic.php?topic_id=16723 http://www.centos.org/modules/newbb/viewtopic.php?topic_id=33190&forum=1 4
[1] try googling, with a limiter of in the last year, for: CESA +"CentOS 5" site:lists.centos.org/pipermail/centos-announce/ These will point to most of the security updates for "CentOS 5", which you may not have applied.
[2]... to confirm you really are running with no/very few 5.9 updates you could run rpm -qa --last *release* which will tell you what release the machine thinks it is at. And then look at rpm -qa --last |less to see what if anything has been updated since a few *days* after the release.
[3] http://wiki.centos.org/FAQ/General#head-6e2c3746ec45ac3142917466760321e8 68f43c0e
[4] http://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b0 96cbff2f
Even when this disclaimer is not here: I am not a contracting officer. I do not have authority to make or modify the terms of any contract.
-----Original Message----- From: Anumeha Prasad [mailto:anumeha.prasad@gmail.com] Sent: Tuesday, August 06, 2013 7:18 To: CentOS mailing list Subject: Re: [CentOS] Openssl vulnerability - SSL/ TLS Renegotion Handshakes
Thank You.
"Support for RFC 5746 in OpenSSL was introduced upstream in version 0.9.8m" mentioned in the Redhat article made me think that I would require
this
version. Stephen, as per what you explained, I should be fine with openssl-0.9.8e-22.el5. Right? So, can the vulnerability reported by Nessus scanner ignored?
On Tue, Aug 6, 2013 at 4:20 PM, Stephen Harris lists@spuddy.org wrote:
On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote:
Hi,
I'm currently at CentOS 5.8. I'm using openssl version openssl-0.9.8e-22.el5. The following vulnerability was reported by
a
Nessus
security scan:
Don't trust Nessus scans
As per following link, Redhat has introduced openssl-0.9.8m which
fixes
this specific issue:
https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_s
upport
If you follow that link it points to https://rhn.redhat.com/errata/RHSA-2010-0162.html(openssl-0.9.8e-
12.el5_4.6)
as having the fix.
Which is superceded by https://rhn.redhat.com/errata/RHSA-2013-0587.html(openssl-0.9.8e-
26.el5_9.1)
The version numbers reported by RedHat do not always match the
version
numbers reported by upstream because RedHat backports fixes into
older
versions.
According to the very pages you linked to, the flaw has been
addressed
by RedHat in the 0.9.8e-12 and newer packages.
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Am 08.08.2013 09:04, schrieb Anumeha Prasad:
Thanks for the update.
I'd updated most of my rpms to CentOS 5.9. I'd even updated openssl to openssl-0.9.8e-22.el5_8.4 (though now the latest is version is openssl-0.9.8e-26.el5_9.1). My concern is that even upgrading openssl to version openssl-0.9.8e-26.el5_9.1 might not solve my problem. This is because the fix for vulnerability "SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection" was backported to openssl-0.9.8e-12.el5_4.6 as per article:
Sorry to say, but so far you fail to clearly understand that a tool like nessus just looks at the version tag it can get. It cannot see that the fix backported by Red Hat is incorporated into an openssl release which does not have this fix in upstream at the same version.
That's why Stephen earlier said "Don't trust nessus scans". But you can trust what Red Hat publishes in their errata reports and CVE database.
Alexander
I understood when Stephen said "Don't trust nessus scans" as I had also mentioned in thi thread. Just that someone also mentioned in this thread that "Nessus should not in general be ignored". Simply wanted to double check that before arriving at a conclusion.
Thanks
On Thu, Aug 8, 2013 at 2:24 PM, Alexander Dalloz ad+lists@uni-x.org wrote:
Am 08.08.2013 09:04, schrieb Anumeha Prasad:
Thanks for the update.
I'd updated most of my rpms to CentOS 5.9. I'd even updated openssl to openssl-0.9.8e-22.el5_8.4 (though now the latest is version is openssl-0.9.8e-26.el5_9.1). My concern is that even upgrading openssl
to
version openssl-0.9.8e-26.el5_9.1 might not solve my problem. This is because the fix for vulnerability "SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection" was backported to openssl-0.9.8e-12.el5_4.6 as per article:
Sorry to say, but so far you fail to clearly understand that a tool like nessus just looks at the version tag it can get. It cannot see that the fix backported by Red Hat is incorporated into an openssl release which does not have this fix in upstream at the same version.
That's why Stephen earlier said "Don't trust nessus scans". But you can trust what Red Hat publishes in their errata reports and CVE database.
Alexander
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
nessus also supports local checks on centos for patch levels? On Aug 11, 2013 3:04 PM, "Anumeha Prasad" anumeha.prasad@gmail.com wrote:
I understood when Stephen said "Don't trust nessus scans" as I had also mentioned in thi thread. Just that someone also mentioned in this thread that "Nessus should not in general be ignored". Simply wanted to double check that before arriving at a conclusion.
Thanks
On Thu, Aug 8, 2013 at 2:24 PM, Alexander Dalloz ad+lists@uni-x.org wrote:
Am 08.08.2013 09:04, schrieb Anumeha Prasad:
Thanks for the update.
I'd updated most of my rpms to CentOS 5.9. I'd even updated openssl to openssl-0.9.8e-22.el5_8.4 (though now the latest is version is openssl-0.9.8e-26.el5_9.1). My concern is that even upgrading
openssl
to
version openssl-0.9.8e-26.el5_9.1 might not solve my problem. This is because the fix for vulnerability "SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection" was backported to openssl-0.9.8e-12.el5_4.6
as
per article:
Sorry to say, but so far you fail to clearly understand that a tool like nessus just looks at the version tag it can get. It cannot see that the fix backported by Red Hat is incorporated into an openssl release which does not have this fix in upstream at the same version.
That's why Stephen earlier said "Don't trust nessus scans". But you can trust what Red Hat publishes in their errata reports and CVE database.
Alexander
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Alexander Dalloz -
Anumeha Prasad -
Denniston, Todd A CIV NAVSURFWARCENDIV Crane -
Eero Volotinen -
John R. Dennison -
Stephen Harris