openssl-fips-provider part 2

[george-bah]

Version

2.4.150

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

12

RAM

48GB

Storage for /

1TB

Storage for /nsm

1TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I'm getting dinged on my company vul scans for having an out of date openssl-fips-provider package. I checked and the package version the scanner reports is what appears to be on the system.

openssl-fips-provider.x86_64 3.0.7-2.0.1.el9 @securityonion

I came here to see if anyone had reported this, and found this thread. In this thread the lack of update was blamed on Oracle, which is fair enough, but it's now 6 months later, the thread is locked, but still open, and this vul is now listed as critical by my company. Oracle seems to have updated this package so is there anything else that's holding this up?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[george-bah]

Does anyone know how to read the package list directly from Security Onion? I found the URL but can't seem to open it in a browser like I can with the Oracle repo.

[dougburks]

This has been resolved:

rpm -qa |grep openssl-fips
openssl-fips-provider-so-3.0.7-6.0.1.el9_5.x86_64
openssl-fips-provider-3.0.7-6.0.1.el9_5.x86_64