On Mon, Jan 05, 2004 at 04:14:47PM -0700, Justin R. Northcraft wrote: > I have a Fedora system configured with Nessus and OpenSSL. I had installed a > base install of fedora loaded openssl (0.9.7c) then Nessus (2.0.9). > There were no problems during any of the installations. > > When I run a Nessus scan against this box the Nessus demon reports a > vulnerability (see below). I'm posting this question because I have > performed the same installation procedures with RedHat 8 and 9 and the > vulnerability does not exist. It seams that the installation of openssl may > not have been placed in the correct file structure???? Any help in finding > the cause of this and correcting the vulnerability is greatly appreciated. > Red Hat ships openssl 0.9.7a with patches for closing this security bugs: * Wed Sep 24 2003 Nalin Dahyabhai <nalin@xxxxxxxxxx> - add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544) and heap corruption (CAN-2003-0545) - update RHNS-CA-CERT files - ease back on the number of threads used in the threading test So it is a false alarm. > (1241/tcp) > High > The remote host seem to be running a version of OpenSSL which is older than > 0.9.6k or 0.9.7c. > > There is a heap corruption bug in this version which might be exploited by > an > attacker to gain a shell on this host. > > Solution : If you are running OpenSSL, Upgrade to version 0.9.6k or 0.9.7c > or newer > Risk factor : High > CVE : CAN-2003-0543, CAN-2003-0544, CAN-2003-0545 > BID : 8732 > Other references : IAVA:2003-A-0027, RHSA:RHSA-2003:291-01, > SuSE:SUSE-SA:2003:043 > > > > > > > -- Axel.Thimm@xxxxxxxxxxxxxxxxxxx
Attachment:
pgpVuszw8htb6.pgp
Description: PGP signature
