Re: Openssl vulnerability - SSL/ TLS Renegotion Handshakes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Am 08.08.2013 09:04, schrieb Anumeha Prasad:
> Thanks for the update.
> 
> I'd updated most of my rpms to CentOS 5.9. I'd even updated openssl
> to openssl-0.9.8e-22.el5_8.4 (though now the latest is version
> is openssl-0.9.8e-26.el5_9.1). My concern is that even upgrading openssl to
> version openssl-0.9.8e-26.el5_9.1 might not solve my problem. This is
> because the fix for vulnerability "SSL/ TLS Renegotion Handshakes MiTm
> Plaintext Data Injection" was backported to openssl-0.9.8e-12.el5_4.6 as
> per article:

Sorry to say, but so far you fail to clearly understand that a tool like
nessus just looks at the version tag it can get. It cannot see that the
fix backported by Red Hat is incorporated into an openssl release which
does not have this fix in upstream at the same version.

That's why Stephen earlier said "Don't trust nessus scans". But you can
trust what Red Hat publishes in their errata reports and CVE database.

Alexander



_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux