AnsweredAssumed Answered

Qualys Ubuntu OpenSSL false positives

Question asked by nathan.j.slinn on Apr 27, 2015
Latest reply on May 20, 2015 by Craig Kagawa

When performing a Qualys scan against our Ubuntu servers we have the following QID's listed:-

123407
123408
123409

 

The scan has detected 'OpenSSL 1.0.1f 6 Jan 2014' which it thinks is vulnerable and requests we update to 1.0.1h, however Canonical backports security fixes into their currently distributed OpenSSL version, which was actually released on 2015-03-19 with all current vulnerabilities patched.

 

The various releases and fixes are listed on Canonicals launchpad site for reference:- https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.11

 

How can we stop Qualys from picking up non issues such as this?

Outcomes