Re: OpenSSL, Nessus and Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jan 05, 2004 at 04:14:47PM -0700, Justin R. Northcraft wrote:
> I have a Fedora system configured with Nessus and OpenSSL. I had installed a
> base install of fedora loaded openssl (0.9.7c) then Nessus (2.0.9).
> There were no problems during any of the installations. 
> 
> When I run a Nessus scan against this box the Nessus demon reports a
> vulnerability (see below). I'm posting this question because I have
> performed the same installation procedures with RedHat 8 and 9 and the
> vulnerability does not exist. It seams that the installation of openssl may
> not have been placed in the correct file structure???? Any help in finding
> the cause of this and correcting the vulnerability is greatly appreciated.
> 

Red Hat ships openssl 0.9.7a with patches for closing this security
bugs:

* Wed Sep 24 2003 Nalin Dahyabhai <nalin@xxxxxxxxxx>

- add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544)
  and heap corruption (CAN-2003-0545)
- update RHNS-CA-CERT files
- ease back on the number of threads used in the threading test

So it is a false alarm.

> (1241/tcp)
> High
> The remote host seem to be running a version of OpenSSL which is older than
> 0.9.6k or 0.9.7c. 
> 
> There is a heap corruption bug in this version which might be exploited by
> an
> attacker to gain a shell on this host.
> 
> Solution : If you are running OpenSSL, Upgrade to version 0.9.6k or 0.9.7c
> or newer
> Risk factor : High
> CVE : CAN-2003-0543, CAN-2003-0544, CAN-2003-0545
> BID : 8732
> Other references : IAVA:2003-A-0027, RHSA:RHSA-2003:291-01,
> SuSE:SUSE-SA:2003:043
> 
> 
> 
> 
> 
> 
> 

-- 
Axel.Thimm@xxxxxxxxxxxxxxxxxxx

Attachment: pgpVuszw8htb6.pgp
Description: PGP signature


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux