Thanks for the update. I'd updated most of my rpms to CentOS 5.9. I'd even updated openssl to openssl-0.9.8e-22.el5_8.4 (though now the latest is version is openssl-0.9.8e-26.el5_9.1). My concern is that even upgrading openssl to version openssl-0.9.8e-26.el5_9.1 might not solve my problem. This is because the fix for vulnerability "SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection" was backported to openssl-0.9.8e-12.el5_4.6 as per article: https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_support In link https://access.redhat.com/security/updates/backporting/?sc_cid=3093you shared, I found "some security scanning and auditing tools make decisions about vulnerabilities based solely on the version number of components they find. This results in false positives as the tools do not take into account backported security fixes." This might be the reason for reported vulnerability. Or, there might be some configuration changes that I need to make on my server, but not sure of that. On Tue, Aug 6, 2013 at 11:01 PM, Denniston, Todd A CIV NAVSURFWARCENDIV Crane <todd.denniston at navy.mil> wrote: > No, Nessus should not in general be ignored. > _My_ *personal* experience has been that if Nessus is reporting a > PACKAGE out of date on CentOS, then it IS out of date [the patch and > CESA has been released by the CentOS team]. > > As has been indicated earlier in the thread you need to update your > system for ALL the security issues[1] (which don't break the operation > of the system), because you are running CentOS 5.8 [with no updates > presumably[2]]. You might be misunderstanding the purpose point > releases[3]. > > Can you tell us *why* you are forcing your machine to be stuck at a > particular point release? > It is generally bad practice to not install the updates, at least after > testing on a test rig that represents your deployed machine. > If you were up-to-date then this "PCI audit" [4] info on the wiki might > apply to your situation. > > Perhaps you should read these > http://www.redhat.com/advice/speaks_backport.html > https://access.redhat.com/security/updates/backporting/?sc_cid=3093 > > and skim these > https://www.centos.org/modules/newbb/viewtopic.php?topic_id=16723 > http://www.centos.org/modules/newbb/viewtopic.php?topic_id=33190&forum=1 > 4 > > > [1] try googling, with a limiter of in the last year, for: > CESA +"CentOS 5" site:lists.centos.org/pipermail/centos-announce/ > These will point to most of the security updates for "CentOS 5", which > you may not have applied. > > > > [2]... to confirm you really are running with no/very few 5.9 updates > you could run > rpm -qa --last \*release\* > which will tell you what release the machine thinks it is at. > And then look at > rpm -qa --last |less > to see what if anything has been updated since a few *days* after the > release. > > [3] > http://wiki.centos.org/FAQ/General#head-6e2c3746ec45ac3142917466760321e8 > 68f43c0e > > [4] > http://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b0 > 96cbff2f > > > Even when this disclaimer is not here: > I am not a contracting officer. I do not have authority to make or > modify the terms of any contract. > > > > -----Original Message----- > > From: Anumeha Prasad [mailto:anumeha.prasad at gmail.com] > > Sent: Tuesday, August 06, 2013 7:18 > > To: CentOS mailing list > > Subject: Re: [CentOS] Openssl vulnerability - SSL/ TLS Renegotion > > Handshakes > > > > Thank You. > > > > "Support for RFC 5746 in OpenSSL was introduced upstream in version > > 0.9.8m" > > mentioned in the Redhat article made me think that I would require > this > > version. Stephen, as per what you explained, I should be fine with > > openssl-0.9.8e-22.el5. > > Right? So, can the vulnerability reported by Nessus scanner ignored? > > > > > > On Tue, Aug 6, 2013 at 4:20 PM, Stephen Harris <lists at spuddy.org> > > wrote: > > > > > On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad wrote: > > > > Hi, > > > > > > > > I'm currently at CentOS 5.8. I'm using openssl version > > > > openssl-0.9.8e-22.el5. The following vulnerability was reported by > > a > > > Nessus > > > > security scan: > > > > > > Don't trust Nessus scans > > > > > > > As per following link, Redhat has introduced openssl-0.9.8m which > > fixes > > > > this specific issue: > > > > > > > > > > > > > > https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_s > > upport > > > > > > If you follow that link it points to > > > https://rhn.redhat.com/errata/RHSA-2010-0162.html(openssl-0.9.8e- > > 12.el5_4.6) > > > as having the fix. > > > > > > Which is superceded by > > > https://rhn.redhat.com/errata/RHSA-2013-0587.html(openssl-0.9.8e- > > 26.el5_9.1) > > > > > > The version numbers reported by RedHat do not always match the > > version > > > numbers reported by upstream because RedHat backports fixes into > > older > > > versions. > > > > > > According to the very pages you linked to, the flaw has been > > addressed > > > by RedHat in the 0.9.8e-12 and newer packages. > > > > > > -- > > > > > > rgds > > > Stephen > > > _______________________________________________ > > > CentOS mailing list > > > CentOS at centos.org > > > http://lists.centos.org/mailman/listinfo/centos > > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >