Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 02-25-2007, 08:34 AM   #1
Registered: Jul 2005
Posts: 273

Rep: Reputation: 31
nessus scan - openssl vulnerability

Hi all,

I did a nessus scan on some of my servers today, and I got back this.

The remote host is using a version of OpenSSL which is
older than 0.9.6m or 0.9.7d

There are several bug in this version of OpenSSL which may allow
an attacker to cause a denial of service against the remote host.

*** Nessus solely relied on the banner of the remote host
*** to issue this warning

Solution : Upgrade to version 0.9.6m (0.9.7d) or newer
Risk factor : High
CVE : CVE-2004-0079, CVE-2004-0081, CVE-2004-0112
BID : 9899
Other references : IAVA:2004-B-0006
I went and did a upgrade to versioin 0.9.8. Now when I run "openssl version", I get this:

OpenSSL 0.9.8e 23 Feb 2007

So after upgrading, I re-ran the nessus scan. And I got back the same result. I imagine this is an apache config problem?

I'm running apache 2.2.4 w/ php5.2.1. openssl is version 0.9.8.

Can anyone give me some direction?
Old 02-25-2007, 03:25 PM   #2
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,657

Rep: Reputation: 210Reputation: 210Reputation: 210
Check the service it reports a problem with. The thing is that quite many programs link with OpenSSL directly and do not use the version you have installed in your system. You'd need to update the service if that's the case.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Qualys Offers Free Vulnerability Scan Mapped to New Threats ... LXer Syndicated Linux News 0 05-08-2006 03:33 PM
Can someone do a Nessus scan on my IP Address? tangle Linux - Security 1 01-31-2005 02:08 PM
Cant scan with nmap or nessus saltas Linux - Networking 2 09-29-2004 03:34 PM
udp vulnerability (nessus report) wedgeworth Linux - Networking 15 05-13-2004 03:59 PM
WARN: OpenSSL NULL Pointer Assignment vulnerability unSpawn Linux - Security 1 03-18-2004 12:11 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:04 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration