OpenSSL, Nessus and Fedora

Tue Jan 6 00:12:28 UTC 2004

On Mon, Jan 05, 2004 at 04:14:47PM -0700, Justin R. Northcraft wrote:
> I have a Fedora system configured with Nessus and OpenSSL. I had installed a
> base install of fedora loaded openssl (0.9.7c) then Nessus (2.0.9).
> There were no problems during any of the installations. 
> 
> When I run a Nessus scan against this box the Nessus demon reports a
> vulnerability (see below). I'm posting this question because I have
> performed the same installation procedures with RedHat 8 and 9 and the
> vulnerability does not exist. It seams that the installation of openssl may
> not have been placed in the correct file structure???? Any help in finding
> the cause of this and correcting the vulnerability is greatly appreciated.
> 

Red Hat ships openssl 0.9.7a with patches for closing this security
bugs:

* Wed Sep 24 2003 Nalin Dahyabhai <nalin at redhat.com>

- add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544)
  and heap corruption (CAN-2003-0545)
- update RHNS-CA-CERT files
- ease back on the number of threads used in the threading test

So it is a false alarm.

> (1241/tcp)
> High
> The remote host seem to be running a version of OpenSSL which is older than
> 0.9.6k or 0.9.7c. 
> 
> There is a heap corruption bug in this version which might be exploited by
> an
> attacker to gain a shell on this host.
> 
> Solution : If you are running OpenSSL, Upgrade to version 0.9.6k or 0.9.7c
> or newer
> Risk factor : High
> CVE : CAN-2003-0543, CAN-2003-0544, CAN-2003-0545
> BID : 8732
> Other references : IAVA:2003-A-0027, RHSA:RHSA-2003:291-01,
> SuSE:SUSE-SA:2003:043
> 
> 
> 
> 
> 
> 
> 

-- 
Axel.Thimm at physik.fu-berlin.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040106/8d750b84/attachment-0001.sig>