On 03/25/2019 08:04 AM, kbannister wrote:
>
> Our Security Patch Administrator told me to remediate vulnerabilities on
> several SLES 11 sp4 OES 2015.1 servers. In regard to CVE-2015-0204
> which is from 2015.
>
> I know these servers, which I inherited, have been patched many times
> since 2015.
>
> Current openssl version>0.9.8j-fips 07 Jan 2009.
>
> The CVE says to update from OpenSSL 0.9.8 to 0.9.8zd. However this
> update is not in the Online Update channel.
>
> The Change Log for Openssl Security Updates has CVE-2015-0204 as an
> entry. Does this mean the vulnerability was fixed back in 2015. Thank
> you!


Yes, that's exactly what it means. Versions do not matter as much as
actual code, so if you run enterprise software (e.g. SLES) you may often
find things like versions indicating there is an issue when in fat the
issue was fixed. This is an old issue, circa Shakespearean times: "A rose
by any other name...".

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.