[CentOS] Openssl vulnerability - SSL/ TLS Renegotion Handshakes

Sun Aug 11 12:21:10 UTC 2013
Eero Volotinen <eero.volotinen at iki.fi>

nessus also supports local checks on centos for patch levels?
On Aug 11, 2013 3:04 PM, "Anumeha Prasad" <anumeha.prasad at gmail.com> wrote:

> I understood when Stephen said "Don't trust nessus scans" as I had also
> mentioned in thi thread. Just that someone also mentioned in this thread
> that "Nessus should not in general be ignored". Simply wanted to double
> check that before arriving at a conclusion.
>
> Thanks
>
>
>
> On Thu, Aug 8, 2013 at 2:24 PM, Alexander Dalloz <ad+lists at uni-x.org>
> wrote:
>
> > Am 08.08.2013 09:04, schrieb Anumeha Prasad:
> > > Thanks for the update.
> > >
> > > I'd updated most of my rpms to CentOS 5.9. I'd even updated openssl
> > > to openssl-0.9.8e-22.el5_8.4 (though now the latest is version
> > > is openssl-0.9.8e-26.el5_9.1). My concern is that even upgrading
> openssl
> > to
> > > version openssl-0.9.8e-26.el5_9.1 might not solve my problem. This is
> > > because the fix for vulnerability "SSL/ TLS Renegotion Handshakes MiTm
> > > Plaintext Data Injection" was backported to openssl-0.9.8e-12.el5_4.6
> as
> > > per article:
> >
> > Sorry to say, but so far you fail to clearly understand that a tool like
> > nessus just looks at the version tag it can get. It cannot see that the
> > fix backported by Red Hat is incorporated into an openssl release which
> > does not have this fix in upstream at the same version.
> >
> > That's why Stephen earlier said "Don't trust nessus scans". But you can
> > trust what Red Hat publishes in their errata reports and CVE database.
> >
> > Alexander
> >
> >
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>