Hi Xueshan,
Thank you for bringing this to our attention. The problem has been
fixed -- do a plugin update and the issue will go away.
Thanks,
-- Renaud
On Oct 9, 2007, at 5:32 PM, Xueshan Feng wrote:
> Quoting "George A. Theall" <[EMAIL PROTECTED]>:
>
>> On 10/08/07 18:01, Xueshan Feng wrote:
>>
>>> My scanner was flagged red by this plugin, although the openssl
>>> package
>>> on the system is up-to-date - stable etch, version 0.9.8c-4etch1.
>>
>> Are you sure you're looking at the correct plugin? 26029
>> corresponds to
>> DSA-1368-1, which is for a buffer overflow in librpcsecgss.
>
> This is what reported by Nessus for my machine:
>
> Vulnerability general/tcp
> An off-by-one error has been identified in the
> SSL_get_shared_ciphers()
> routine in the libssl library from OpenSSL, an implementation of
> Secure
> Socket Layer cryptographic libraries and utilities. This error could
> allow an attacker to crash an application making use of OpenSSL's
> libssl
> library, or potentially execute arbitrary code in the security context
> of the user running such an application.
>
> For the old stable distribution (sarge), this problem has been fixed
> in version
> 0.9.7e-3sarge5.
>
>
> For the stable distribution (etch), this problem has been fixed in
> version 0.9.8c-4etch1.
>
>
> For the unstable and testing distributions (sid and lenny,
> respectively),
> this problem has been fixed in version 0.9.8e-9.
>
> We recommend that you upgrade your openssl packages.
>
>
> Solution : http://www.debian.org/security/2007/dsa-1379
> Risk factor : High
> The package openssl is vulnerable in Debian 4.0.
> Upgrade to openssl_0.9.8e-9
>
> CVE : CVE-2007-5135
> Other references : DSA:1379
> Nessus ID : 26209
> Informational general/tcp
>
>
> And this is the opensslpackage installed on my machine (run aptitude
> show openssl):
>
> ackage: openssl
> State: installed
> Automatically installed: yes
> Version: 0.9.8c-4etch1
> Priority: optional
> Section: utils
> Maintainer: Debian OpenSSL Team <pkg-openssl-
> [EMAIL PROTECTED]>
> Uncompressed Size: 2273k
> Depends: libc6 (>= 2.3.6-6), libssl0.9.8 (>= 0.9.8c-1), zlib1g (>=
> 1:1.2.1)
> Suggests: ca-certificates
> Conflicts: ssleay (< 0.9.2b)
> Description: Secure Socket Layer (SSL) binary and related
> cryptographic tools
> This package contains the openssl binary and related tools.
>
>>
>>
>> George
>> --
>> [EMAIL PROTECTED]
>> _______________________________________________
>> Nessus mailing list
>> [email protected]
>> http://mail.nessus.org/mailman/listinfo/nessus
>>
>
>
> _______________________________________________
> Nessus mailing list
> [email protected]
> http://mail.nessus.org/mailman/listinfo/nessus
>
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
