OpenSSL, Nessus and Fedora
Justin R. Northcraft
justin.northcraft at cliftoncpa.com
Mon Jan 5 23:14:47 UTC 2004
I have a Fedora system configured with Nessus and OpenSSL. I had installed a
base install of fedora loaded openssl (0.9.7c) then Nessus (2.0.9).
There were no problems during any of the installations.
When I run a Nessus scan against this box the Nessus demon reports a
vulnerability (see below). I'm posting this question because I have
performed the same installation procedures with RedHat 8 and 9 and the
vulnerability does not exist. It seams that the installation of openssl may
not have been placed in the correct file structure???? Any help in finding
the cause of this and correcting the vulnerability is greatly appreciated.
----------NESSUS RESULTS----------
(1241/tcp)
High
The remote host seem to be running a version of OpenSSL which is older than
0.9.6k or 0.9.7c.
There is a heap corruption bug in this version which might be exploited by
an
attacker to gain a shell on this host.
Solution : If you are running OpenSSL, Upgrade to version 0.9.6k or 0.9.7c
or newer
Risk factor : High
CVE : CAN-2003-0543, CAN-2003-0544, CAN-2003-0545
BID : 8732
Other references : IAVA:2003-A-0027, RHSA:RHSA-2003:291-01,
SuSE:SUSE-SA:2003:043
-----------NESSUS RESULTS----------
More information about the fedora-list
mailing list