Nessus security alert issued in error against OpenSSL v0.9.7d?

[Andrew Kraslavsky]

Howdy,
To test the security of my proprietary HTTPS server, built with OpenSSL 
library version 0.9.7d, I ran Nessus version 2.2 against it and it reported 
the following alert (as issued by Nessus plug-in ID 11875, described at: 
http://cgi.nessus.org/plugins/dump.php3?id=11875 ):

----------------------------------------
The remote host seem to be running a version of OpenSSL which is older than 
0.9.6k or 0.9.7c.

There is a heap corruption bug in this version which might be exploited by 
an
attacker to gain a shell on this host.

Solution : If you are running OpenSSL, Upgrade to version 0.9.6k or 0.9.7c 
or newer
Risk factor : High
----------------------------------------

However, as mentioned above, the version of OpenSSL I am using is in fact 
newer than what Nessus suggests it to be (although just barely newer than 
0.9.7c).

---> My question is, why does Nessus report this alert and, gulp, should I 
be worried about the associated “shell access” possibility?

More specifically, does this mean that one of the ASN.1 parsing problems 
described in CAN-2003-0543, CAN-2003-0544, and CAN-2003-0545 occurred 
somewhere in the OpenSSL library?

Also, I am not sure if this matters or not, but my HTTPS server does not 
require clients to provide their certificates so at server initialization 
time I invoke (among the other various start up calls):

  SSL_CTX_set_verify( sslCtx, SSL_VERIFY_NONE, NULL );
As I am about to release my product, I do not want to update the version of 
the OpenSSL library I am using but, of course, if there is a legitimate 
security concern here I will have to do so.

Any help and advice you can provide would be greatly appreciated.
Thanks,
- Andrew
The complete source to the Nessus plug-in is available at:
http://cvsweb.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/ssltest.nasl?content-type=text/plain
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]