This is happening to us as well, and I'm a direct-feed customer. I just
sent Renaud a message about this. If someone from Tenable support will
send me a PGP key, I'll send the NBE file and HTML report.
Nice thing about this particular scan: one of the plugins lists all the
installed packages, so the proof that all 18 findings (in this case) are
false-positives is in the report itself.
John Scherff
24 Hour Fitness
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Crabshack
Sent: Thursday, June 21, 2007 8:00 AM
To: [email protected]
Subject: Possible False Positives Scanning 64 bit Red Hat
Systems
I have googled and searched the list, and haven't found anything
related to what I am seeing. I am scanning some 64 Bit Red Hat boxes,
and they are coming up with a number of False Positive vulnerabilities.
I scanned one of these machines a few weeks ago, and didn't notice this
problem. I'm on the 14 day delay, and I just updated yesterday.
One of the many plugins that are coming back vulnerable is
18441. Looking at the code, it appears that this check is looking for
the following:
dbus-0.22-12.EL.2
dbus-devel-0.22-12.EL.2
dbus-glib-0.22-12.EL.2
dbus-python-0.22-12.EL.2
dbus-x11-0.22-12.EL.2
But when I look on the affected system, these packages do not
appear to be present:
[EMAIL PROTECTED] ~]$ rpm -qa --qf
'%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n' | grep dbus
dbus-devel-0.22-12.EL.9|(none)
dbus-0.22-12.EL.9|(none)
dbus-0.22-12.EL.9|(none)
dbus-x11-0.22-12.EL.9|(none)
dbus-python-0.22-12.EL.9|(none)
dbus-glib-0.22-12.EL.9|(none)
dbus-glib-0.22-12.EL.9|(none)
Another example, # 19390. This check is looking for:
irb-1.8.1-7.EL4.1
ruby-1.8.1-7.EL4.1
ruby-devel-1.8.1-7.EL4.1
ruby-docs-1.8.1-7.EL4.1
ruby-libs-1.8.1-7.EL4.1
ruby-mode-1.8.1-7.EL4.1
ruby-tcltk-1.8.1-7.EL4.1
On my machine:
[EMAIL PROTECTED] ~]$ rpm -qa --qf
'%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n' | grep ruby
ruby-libs-1.8.1-7.EL4.8|(none)
[EMAIL PROTECTED] ~]$ rpm -qa --qf
'%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n' | grep irb
[EMAIL PROTECTED] ~]$
Other information from the machine being scanned:
cat /etc/redhat-release = Red Hat Enterprise Linux AS release 4
(Nahant Update 5)
uname -m = x86_64
uname -a = Linux thebox.somewhere.net 2.6.9-55.ELsmp #1 SMP Fri
Apr 20 16:36:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
Scanner Host:
nessus (Nessus) 3.0.5 for Linux
2.6.9-55.ELsmp #1 SMP Fri Apr 20 17:03:35 EDT 2007 i686 i686
i386 GNU/Linux
Red Hat Enterprise Linux WS release 4 (Nahant Update 5)
This is my first post to the list, so if you need more info,
please let me know.
Thanks.
________________________________
Live Earth is coming. Learn more about the hottest summer event
- only on MSN. Check it out!
<http://liveearth.msn.com?source=msntaglineliveearthwlm>
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
