[CentOS] Openssl vulnerability - SSL/ TLS Renegotion Handshakes

Tue Aug 6 10:50:51 UTC 2013
Stephen Harris <lists at spuddy.org>

On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote:
> Hi,
> I'm currently at CentOS 5.8. I'm using openssl version
> openssl-0.9.8e-22.el5. The following vulnerability was reported by a Nessus
> security scan:

Don't trust Nessus scans

> As per following link, Redhat has introduced openssl-0.9.8m which fixes
> this specific issue:
> https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_support

If you follow that link it points to
  https://rhn.redhat.com/errata/RHSA-2010-0162.html (openssl-0.9.8e-12.el5_4.6)
as having the fix.

Which is superceded by
  https://rhn.redhat.com/errata/RHSA-2013-0587.html (openssl-0.9.8e-26.el5_9.1)

The version numbers reported by RedHat do not always match the version
numbers reported by upstream because RedHat backports fixes into older

According to the very pages you linked to, the flaw has been addressed
by RedHat in the 0.9.8e-12 and newer packages.