[CentOS] Openssl vulnerability - SSL/ TLS Renegotion Handshakes

Tue Aug 6 10:31:12 UTC 2013
Anumeha Prasad <anumeha.prasad at gmail.com>

Hi,

I'm currently at CentOS 5.8. I'm using openssl version
openssl-0.9.8e-22.el5. The following vulnerability was reported by a Nessus
security scan:

"SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection"

As per following link, Redhat has introduced openssl-0.9.8m which fixes
this specific issue:

https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_support

I created rpm for openssl-0.9.8m using tarball and when I tried to install
it, I got "libssl.so.6()(64bit) is needed by <rpm name>" errors which would
be solved by installing openssl098e rpm. This rpm is a part of CentOS 6 and
so I can't install it.

Do we have openssl-0.9.8m or higher rpm available for CentOS 5? Or any
other way I could resolve errors "libssl.so.6()(64bit) is needed by <rpm
name>"? Or any suggestions on the mentioned "SSL/ TLS Renegotion
Handshakes" vulnerability?

Thanks,
Anumeha