CentOS - Aug 2013 - Openssl vulnerability - SSL/ TLS Renegotion Handshakes

Hi,

I'm currently at CentOS 5.8. I'm using openssl version
openssl-0.9.8e-22.el5. The following vulnerability was reported by a Nessus
security scan:

"SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection"

As per following link, Redhat has introduced openssl-0.9.8m which fixes
this specific issue:

https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_support

I created rpm for openssl-0.9.8m using tarball and when I tried to install
it, I got "libssl.so.6()(64bit) is needed by <rpm name>" errors
which would
be solved by installing openssl098e rpm. This rpm is a part of CentOS 6 and
so I can't install it.

Do we have openssl-0.9.8m or higher rpm available for CentOS 5? Or any
other way I could resolve errors "libssl.so.6()(64bit) is needed by <rpm
name>"? Or any suggestions on the mentioned "SSL/ TLS Renegotion
Handshakes" vulnerability?

Thanks,
Anumeha

On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad
wrote:
> Hi,
> 
> I'm currently at CentOS 5.8. I'm using openssl version
Current is 5.9.  Update.
> openssl-0.9.8e-22.el5. The following vulnerability was reported by a Nessus
Current openssl is 0.9.8e-26.  Again.... update.





							John
-- 
The men the American public admire most extravagantly are the most daring
liars; the men they detest most violently are those who try to tell them
the truth.

-- H. L. Mencken (1880-1956), journalist, satirist, and freethinker, The
   Smart set, Volume 68 (with George Jean Nathan) p 49 (1922)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<http://lists.centos.org/pipermail/centos/attachments/20130806/68512cc9/attachment-0002.sig>

On Tue, Aug 06, 2013 at 04:01:12PM +0530, Anumeha Prasad
wrote:
> Hi,
> 
> I'm currently at CentOS 5.8. I'm using openssl version
> openssl-0.9.8e-22.el5. The following vulnerability was reported by a Nessus
> security scan:
Don't trust Nessus scans
> As per following link, Redhat has introduced openssl-0.9.8m which fixes
> this specific issue:
> 
>
https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_support
If you follow that link it points to
  https://rhn.redhat.com/errata/RHSA-2010-0162.html (openssl-0.9.8e-12.el5_4.6)
as having the fix.

Which is superceded by
  https://rhn.redhat.com/errata/RHSA-2013-0587.html (openssl-0.9.8e-26.el5_9.1)

The version numbers reported by RedHat do not always match the version
numbers reported by upstream because RedHat backports fixes into older
versions.

According to the very pages you linked to, the flaw has been addressed
by RedHat in the 0.9.8e-12 and newer packages.

-- 

rgds
Stephen