Vuln scanning is detecting these. I do not see back ported patches noted.
RHN reports on these two seem ambiguous.
Are these legitimate vulnerabilities?
Thanks!
OpenSSL CVE-2016-2176, CVE-2016-2178
Re: OpenSSL CVE-2016-2176, CVE-2016-2178
CVE-2016-2176: "not affected" https://access.redhat.com/security/cve/cve-2016-2176
CVE-2016-2178: "fix deferred" https://access.redhat.com/security/cve/cve-2016-2178 and https://bugzilla.redhat.com/show_bug.cg ... -2016-2178 -- I interpret this as "a fix will be included in the next convenient release of openssl, but there's no rush".
CVE-2016-2178: "fix deferred" https://access.redhat.com/security/cve/cve-2016-2178 and https://bugzilla.redhat.com/show_bug.cg ... -2016-2178 -- I interpret this as "a fix will be included in the next convenient release of openssl, but there's no rush".
-
paulmancan
- Posts: 26
- Joined: 2005/07/01 15:16:51
Re: OpenSSL CVE-2016-2176, CVE-2016-2178
Thanks that was what I saw too but felt that this was ambiguous " in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h " Centos 7 be on 1.0.1e so.... just the way I read this errata I guess?
Re: OpenSSL CVE-2016-2176, CVE-2016-2178
For -2176: "OpenSSL packages distributed by Red Hat do not enable EBCDIC support and are therefore unaffected by this issue.", so even though the version matches, the vulnerable functionality is not enabled in the packages distributed by Red Hat / CentOS.
For -2178: Yes, the RH / CentOS version is vulnerable, but its low severity does not warrant an immediate update.
For -2178: Yes, the RH / CentOS version is vulnerable, but its low severity does not warrant an immediate update.
-
paulmancan
- Posts: 26
- Joined: 2005/07/01 15:16:51
Re: OpenSSL CVE-2016-2176, CVE-2016-2178
Awesome thanks for your quick reply!