Dear Team, As per the below trail mail we are trying to upgrade the open SSL version from OpenSSL 0.9.8 to 0.9.8za on oracle Linux 5.7 version. We have downloaded the tar file (openssl-0.9.8za.tar.gz) for the upgrade. But, we are not able install for the same.
Could you please provide us the relevant rpm or installation steps? Thanks, Venkat +971 554285480 Venkata Golla Oracle Applications DBA | Information Technology Emirates Advanced Investments Group P.O Box 5254, Abu Dhabi, U.A.E. Tel:+971 (2) 6421133 x 1516 Mob:+971 (50) 4425015 Email:venkata.go...@eai.ae Web:http://www.eai.ae -----Original Message----- From: Symantec Technical Support [mailto:ssltechsupp...@symantec.com] Sent: Friday, July 18, 2014 3:59 PM To: Venkata Golla Cc: Nitish Mittal Subject: RE: Critical vulnerabilities found (#8083-432678597-2590) Hi Venkata. Thank you for the screenshot. The screenshot you send states that you are using an unsecure version of OpenSSL (0.9.8e). Please take a look at the following link - OpenSSL security advisor: https://www.openssl.org/news/secadv_20140605.txt Once you upgrade your OpenSSL version to a safe one, the vulnerability report will also reflect that. I hope the information answers your questions. If you need further assistance please do not hesitate to contact us again. Regards, Aleksander Symantec Authentication Services Technical Support Team ssltechsupp...@symantec.com Everyone at Symantec is committed to the highest level of customer satisfaction. If you want to provide feedback, please contact my manager at ts_mana...@symantec.com Please visit our support site at: www.symantec.com/help www.symantec.co.uk/help www.symantec.com.au/help -----Original Message----- From: Venkata Golla (venkata.go...@eai.ae) Sent: 18-Jul-2014 05:57:30 Subject: RE: Critical vulnerabilities found (#8083-432678597-2590) Dear Team, Please find the below screen shot for your reference; [cid:image001.png@01CFA266.311BC0A0] -----Original Message----- From: Symantec Technical Support [mailto:ssltechsupp...@symantec.com] Sent: Thursday, July 17, 2014 7:16 PM To: Venkata Golla Cc: Nitish Mittal Subject: RE: Critical vulnerabilities found (#8083-432678597-2590) Hello Venkata, Thank you for the fast response. If it is possible please execute the following command in OpenSSL and attach a screenshot as the previous command did not provide the Version Number we require as proof. The Command will just be: openssl version The results should be similar to the following: OpenSSL 0.9.8o 01 Jun 2010 Once we have a screenshot confirming this we can begin creating the case. Thank you so much for your patience and for providing the necessary documentation. Please provide the screenshot requested and inform us of any additional questions. Regards, Chris Symantec Authentication Services Technical Support Team ssltechsupp...@symantec.com<mailto:ssltechsupp...@symantec.com> Everyone at Symantec is committed to the highest level of customer satisfaction. If you want to provide feedback, please contact my manager at ts_mana...@symantec.com<mailto:ts_mana...@symantec.com> Please visit our support site at: www.symantec.com/help<http://www.symantec.com/help> www.symantec.co.uk/help<http://www.symantec.co.uk/help> www.symantec.com.au/help<http://www.symantec.com.au/help> -----Original Message----- From: Venkata Golla (venkata.go...@eai.ae<mailto:venkata.go...@eai.ae>) Sent: Jul 16, 2014 11:12:24 PM Subject: RE: Critical vulnerabilities found (#8083-432678597-2590) Dear Team, Good morning. Please find the attached open SSL version and advise us, Thanks. -----Original Message----- From: Symantec Technical Support [mailto:ssltechsupp...@symantec.com]<mailto:[mailto:ssltechsupp...@symantec.com]> Sent: Wednesday, July 16, 2014 6:23 PM To: Venkata Golla Cc: Nitish Mittal Subject: RE: Critical vulnerabilities found (#8083-432678597-2590) Hello Venkata, Thank you for the fast response. However before we can build a case we need a proof of which version of OpenSSL is used by the Web Server where the certificate has been installed. The screenshot provided while it does feature the version of SSL that the certificate corresponds to (V3) this does not provide us with what version of OpenSSL the server platform is running. To determine which version of OpenSSL is being used to rule out the critical vulnerability being reported as a false positive we require a screenshot indicating which version of OpenSSL is being ran on the server platform. We need to confirm that the server is not using the vulnerable OpenSSL versions 1.0.1 through 1.0.1f to confirm it is not vulnerable to Heartbleed, for example. You should be able to check the version of OpenSSL by using the following command. openssl s_client -showcerts -connect <Internal IP of server>:443 Please provide the information requested along with an phone number you can be reached at and we will be happy to create a case to have the vulnerability flagged as a false positive and removed from future scans. Regards, Chris Symantec Authentication Services Technical Support Team ssltechsupp...@symantec.com<mailto:ssltechsupp...@symantec.com> Everyone at Symantec is committed to the highest level of customer satisfaction. If you want to provide feedback, please contact my manager at ts_mana...@symantec.com<mailto:ts_mana...@symantec.com> Please visit our support site at: www.symantec.com/help<http://www.symantec.com/help> www.symantec.co.uk/help<http://www.symantec.co.uk/help> www.symantec.com.au/help<http://www.symantec.com.au/help> -----Original Message----- From: Venkata Golla (venkata.go...@eai.ae<mailto:venkata.go...@eai.ae>) Sent: Jul 16, 2014 1:07:24 AM Subject: RE: Critical vulnerabilities found (#8083-432678597-2590) Dear Team, Thank you very much for your update. Please create the case to remove the false positive from future vulnerability assessment scans. Please find the attached require documents, Thanks. -----Original Message----- From: Symantec Technical Support [mailto:ssltechsupp...@symantec.com]<mailto:[mailto:ssltechsupp...@symantec.com]> Sent: Tuesday, July 15, 2014 6:59 PM To: Venkata Golla Cc: Nitish Mittal Subject: RE: Critical vulnerabilities found (#8083-432678597-2590) Hello Venkata, Thank you for contacting Symantec SSL Technical Support. It appears that the version of OpenSSL used on the web server may be prone to vulnerabilities. If you believe this to be a false positive we can create a case to remove the false positive from future vulnerability assessment scans. To create a case we require the report document in pdf as you have provided, as well as a proof or proofs that the version of OpenSSL used on this device is not prone to vulnerabilities--such as the version information. Unfortunately as the Vulnerability Assessment is a complimentary service for informational purposes it is outside of the scope of our SSL Certificate support to troubleshoot server configurations or web site content. If you wish to further pursue the vulnerabilities reported and resolve any potential issue pertaining to the vulnerabilities we off a list of remediation referrals, such as in the link below. Vulnerability Assessment Remediation Referrals https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1746&actp=search&viewlocale=en_US&searchid=1405436129408 For more information regarding the Vulnerability Assessment we are also providing our Frequently Asked Questions page in the link below. Vulnerability FAQ https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1694&actp=search&viewlocale=en_US&searchid=1405436129408 Please provide us with the information requested if you wish to create a case for a false positive scan. Please inform us of any additional questions. Regards, Chris Symantec Authentication Services Technical Support Team ssltechsupp...@symantec.com<mailto:ssltechsupp...@symantec.com> Everyone at Symantec is committed to the highest level of customer satisfaction. If you want to provide feedback, please contact my manager at ts_mana...@symantec.com<mailto:ts_mana...@symantec.com> Please visit our support site at: www.symantec.com/help<http://www.symantec.com/help> www.symantec.co.uk/help<http://www.symantec.co.uk/help> www.symantec.com.au/help<http://www.symantec.com.au/help> -----Original Message----- From: Venkata Golla (venkata.go...@eai.ae<mailto:venkata.go...@eai.ae>) Sent: Jul 14, 2014 11:22:26 PM Subject: Critical vulnerabilities found Dear Team, Today we have received Critical vulnerabilities found message in our DMZ node, could you please check the attached report and update us, what we need to take care here? Thanks, Venkat Mob - +971 554285480 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
