[CentOS] Openssl vulnerability - SSL/ TLS Renegotion Handshakes

Tue Aug 6 11:18:13 UTC 2013
Anumeha Prasad <anumeha.prasad at gmail.com>

Thank You.

"Support for RFC 5746 in OpenSSL was introduced upstream in version 0.9.8m"
mentioned in the Redhat article made me think that I would require this
version. Stephen, as per what you explained, I should be fine with
openssl-0.9.8e-22.el5.
Right? So, can the vulnerability reported by Nessus scanner ignored?


On Tue, Aug 6, 2013 at 4:20 PM, Stephen Harris <lists at spuddy.org> wrote:

> On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote:
> > Hi,
> >
> > I'm currently at CentOS 5.8. I'm using openssl version
> > openssl-0.9.8e-22.el5. The following vulnerability was reported by a
> Nessus
> > security scan:
>
> Don't trust Nessus scans
>
> > As per following link, Redhat has introduced openssl-0.9.8m which fixes
> > this specific issue:
> >
> >
> https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_support
>
> If you follow that link it points to
>   https://rhn.redhat.com/errata/RHSA-2010-0162.html(openssl-0.9.8e-12.el5_4.6)
> as having the fix.
>
> Which is superceded by
>   https://rhn.redhat.com/errata/RHSA-2013-0587.html(openssl-0.9.8e-26.el5_9.1)
>
> The version numbers reported by RedHat do not always match the version
> numbers reported by upstream because RedHat backports fixes into older
> versions.
>
> According to the very pages you linked to, the flaw has been addressed
> by RedHat in the 0.9.8e-12 and newer packages.
>
> --
>
> rgds
> Stephen
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>