Re: Openssl vulnerability - SSL/ TLS Renegotion Handshakes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



nessus also supports local checks on centos for patch levels?
On Aug 11, 2013 3:04 PM, "Anumeha Prasad" <anumeha.prasad@xxxxxxxxx> wrote:

> I understood when Stephen said "Don't trust nessus scans" as I had also
> mentioned in thi thread. Just that someone also mentioned in this thread
> that "Nessus should not in general be ignored". Simply wanted to double
> check that before arriving at a conclusion.
>
> Thanks
>
>
>
> On Thu, Aug 8, 2013 at 2:24 PM, Alexander Dalloz <ad+lists@xxxxxxxxx>
> wrote:
>
> > Am 08.08.2013 09:04, schrieb Anumeha Prasad:
> > > Thanks for the update.
> > >
> > > I'd updated most of my rpms to CentOS 5.9. I'd even updated openssl
> > > to openssl-0.9.8e-22.el5_8.4 (though now the latest is version
> > > is openssl-0.9.8e-26.el5_9.1). My concern is that even upgrading
> openssl
> > to
> > > version openssl-0.9.8e-26.el5_9.1 might not solve my problem. This is
> > > because the fix for vulnerability "SSL/ TLS Renegotion Handshakes MiTm
> > > Plaintext Data Injection" was backported to openssl-0.9.8e-12.el5_4.6
> as
> > > per article:
> >
> > Sorry to say, but so far you fail to clearly understand that a tool like
> > nessus just looks at the version tag it can get. It cannot see that the
> > fix backported by Red Hat is incorporated into an openssl release which
> > does not have this fix in upstream at the same version.
> >
> > That's why Stephen earlier said "Don't trust nessus scans". But you can
> > trust what Red Hat publishes in their errata reports and CVE database.
> >
> > Alexander
> >
> >
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS@xxxxxxxxxx
> > http://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux