plesk8.1 + centos openssl security problem?

[d6d2001]

Hi,

I just updated to php.5.1.6 from centosplus.

Everything is great except that I ran couple Nessus scan results. It shows couple holes all related to lower openssl version. I once read that centos has update openssl indeed it's just showing the old version number. But I just want to be sure.

Any one have came across this and find a solution?

BTW, it's a centos4.4 with plesk 8.1 box.

Thanks

The remote host is using a version of OpenSSL which is
older than 0.9.6m or 0.9.7d

There are several bug in this version of OpenSSL which may allow
an attacker to cause a denial of service against the remote host.

Nessus solely relied on the banner of the remote host
to issue this warning


Solution: Upgrade to version 0.9.6m (0.9.7d) or newer


Risk Factor : High
CVE : CVE-2004-0079, CVE-2004-0081, CVE-2004-0112
BID : 9899
Other references : IAVA:2004-B-0006
Plugin ID : 12110

 

[breun]

Nessus gets you a lot of false positives. Nessus only looks at version numbers to see if a system contains patches, but Red Hat (and thus CentOS) backports patches. Please read this document for more information: http://www.redhat.com/advice/speaks_backport.html

Bottom line: just make sure you run 'yum update' regularly (and that your distro is not EOL) and you should be fine.

 

[atomicturtle]

Yep, if you read the full vulnerability description it will even tell you that this is a false positive against a redhat box. Flip on local checks, you'll get far more accurate results.

 

[d6d2001]

Thanks Guys!