nessus also supports local checks on centos for patch levels? On Aug 11, 2013 3:04 PM, "Anumeha Prasad" <anumeha.prasad at gmail.com> wrote: > I understood when Stephen said "Don't trust nessus scans" as I had also > mentioned in thi thread. Just that someone also mentioned in this thread > that "Nessus should not in general be ignored". Simply wanted to double > check that before arriving at a conclusion. > > Thanks > > > > On Thu, Aug 8, 2013 at 2:24 PM, Alexander Dalloz <ad+lists at uni-x.org> > wrote: > > > Am 08.08.2013 09:04, schrieb Anumeha Prasad: > > > Thanks for the update. > > > > > > I'd updated most of my rpms to CentOS 5.9. I'd even updated openssl > > > to openssl-0.9.8e-22.el5_8.4 (though now the latest is version > > > is openssl-0.9.8e-26.el5_9.1). My concern is that even upgrading > openssl > > to > > > version openssl-0.9.8e-26.el5_9.1 might not solve my problem. This is > > > because the fix for vulnerability "SSL/ TLS Renegotion Handshakes MiTm > > > Plaintext Data Injection" was backported to openssl-0.9.8e-12.el5_4.6 > as > > > per article: > > > > Sorry to say, but so far you fail to clearly understand that a tool like > > nessus just looks at the version tag it can get. It cannot see that the > > fix backported by Red Hat is incorporated into an openssl release which > > does not have this fix in upstream at the same version. > > > > That's why Stephen earlier said "Don't trust nessus scans". But you can > > trust what Red Hat publishes in their errata reports and CVE database. > > > > Alexander > > > > > > > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >