Thank You. "Support for RFC 5746 in OpenSSL was introduced upstream in version 0.9.8m" mentioned in the Redhat article made me think that I would require this version. Stephen, as per what you explained, I should be fine with openssl-0.9.8e-22.el5. Right? So, can the vulnerability reported by Nessus scanner ignored? On Tue, Aug 6, 2013 at 4:20 PM, Stephen Harris <lists at spuddy.org> wrote: > On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote: > > Hi, > > > > I'm currently at CentOS 5.8. I'm using openssl version > > openssl-0.9.8e-22.el5. The following vulnerability was reported by a > Nessus > > security scan: > > Don't trust Nessus scans > > > As per following link, Redhat has introduced openssl-0.9.8m which fixes > > this specific issue: > > > > > https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_support > > If you follow that link it points to > https://rhn.redhat.com/errata/RHSA-2010-0162.html(openssl-0.9.8e-12.el5_4.6) > as having the fix. > > Which is superceded by > https://rhn.redhat.com/errata/RHSA-2013-0587.html(openssl-0.9.8e-26.el5_9.1) > > The version numbers reported by RedHat do not always match the version > numbers reported by upstream because RedHat backports fixes into older > versions. > > According to the very pages you linked to, the flaw has been addressed > by RedHat in the 0.9.8e-12 and newer packages. > > -- > > rgds > Stephen > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >