[CentOS] Openssl vulnerability - SSL/ TLS Renegotion Handshakes

Denniston, Todd A CIV NAVSURFWARCENDIV Crane todd.denniston at navy.mil
Tue Aug 6 17:31:49 UTC 2013


No, Nessus should not in general be ignored.
_My_ *personal* experience has been that if Nessus is reporting a
PACKAGE out of date on CentOS, then it IS out of date [the patch and
CESA has been released by the CentOS team].

As has been indicated earlier in the thread you need to update your
system for ALL the security issues[1] (which don't break the operation
of the system), because you are running CentOS 5.8 [with no updates
presumably[2]].  You might be misunderstanding the purpose point
releases[3].

Can you tell us *why* you are forcing your machine to be stuck at a
particular point release?
It is generally bad practice to not install the updates, at least after
testing on a test rig that represents your deployed machine.
If you were up-to-date then this "PCI audit" [4] info on the wiki might
apply to your situation.

Perhaps you should read these
http://www.redhat.com/advice/speaks_backport.html
https://access.redhat.com/security/updates/backporting/?sc_cid=3093

and skim these
https://www.centos.org/modules/newbb/viewtopic.php?topic_id=16723
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=33190&forum=1
4


[1] try googling, with a limiter of in the last year, for:
CESA +"CentOS 5" site:lists.centos.org/pipermail/centos-announce/
These will point to most of the security updates for "CentOS 5", which
you may not have applied.



[2]... to confirm you really are running with no/very few 5.9 updates
you could run
rpm -qa --last \*release\*
which will tell you what release the machine thinks it is at.
And then look at 
rpm -qa --last |less 
to see what if anything has been updated since a few *days* after the
release.

[3]
http://wiki.centos.org/FAQ/General#head-6e2c3746ec45ac3142917466760321e8
68f43c0e

[4]
http://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b0
96cbff2f


Even when this disclaimer is not here:
I am not a contracting officer. I do not have authority to make or
modify the terms of any contract.


> -----Original Message-----
> From: Anumeha Prasad [mailto:anumeha.prasad at gmail.com]
> Sent: Tuesday, August 06, 2013 7:18
> To: CentOS mailing list
> Subject: Re: [CentOS] Openssl vulnerability - SSL/ TLS Renegotion
> Handshakes
> 
> Thank You.
> 
> "Support for RFC 5746 in OpenSSL was introduced upstream in version
> 0.9.8m"
> mentioned in the Redhat article made me think that I would require
this
> version. Stephen, as per what you explained, I should be fine with
> openssl-0.9.8e-22.el5.
> Right? So, can the vulnerability reported by Nessus scanner ignored?
> 
> 
> On Tue, Aug 6, 2013 at 4:20 PM, Stephen Harris <lists at spuddy.org>
> wrote:
> 
> > On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote:
> > > Hi,
> > >
> > > I'm currently at CentOS 5.8. I'm using openssl version
> > > openssl-0.9.8e-22.el5. The following vulnerability was reported by
> a
> > Nessus
> > > security scan:
> >
> > Don't trust Nessus scans
> >
> > > As per following link, Redhat has introduced openssl-0.9.8m which
> fixes
> > > this specific issue:
> > >
> > >
> >
>
https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_s
> upport
> >
> > If you follow that link it points to
> >   https://rhn.redhat.com/errata/RHSA-2010-0162.html(openssl-0.9.8e-
> 12.el5_4.6)
> > as having the fix.
> >
> > Which is superceded by
> >   https://rhn.redhat.com/errata/RHSA-2013-0587.html(openssl-0.9.8e-
> 26.el5_9.1)
> >
> > The version numbers reported by RedHat do not always match the
> version
> > numbers reported by upstream because RedHat backports fixes into
> older
> > versions.
> >
> > According to the very pages you linked to, the flaw has been
> addressed
> > by RedHat in the 0.9.8e-12 and newer packages.
> >
> > --
> >
> > rgds
> > Stephen
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >




More information about the CentOS mailing list