Bug#765895: marked as done (rkhunter: maybe the Debian version should deactivate any update functionality)

[Debian Bug Tracking System]

Your message dated Sun, 16 Jul 2017 12:17:35 +
with message-id 
and subject line Bug#765895: fixed in rkhunter 1.4.2-0.4+deb8u1
has caused the Debian Bug report #765895,
regarding rkhunter: maybe the Debian version should deactivate any update 
functionality
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
765895: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765895
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rkhunter
Version: 1.4.2-0.1
Severity: wishlist
Tags: security


Hi.

This is something for consideration:
rkhunter has this "updating" functionality, which apparently downloads
new stuff from the web, updates the mirrors list and so on.


In a way I feel that this should be disabled (at lest per default) in
Debian for several reasons:


1) security
While I haven't checked rkhunter in specific, downloading stuff from the,
especially new code or pattern files or anything that is actually
used by a program is always really tricky and difficult.

Signing alone is by far not enough, as this often still allows for
blocking/downgrading attacks.

Some time ago I've started a longer thread about this on debian-devel...


It seems to use wget/curl per default for downloading, which means at
best, everything is SSL/TLS secured,... which basically means no security
at all.
wget/curl, both use per default still SSLv3 (which is broken since POODLE,
latestly)... and even worse,... any CA which is activated in the system,
which is per default a big list, including such untrustworthy fellows
as CNNIC) could forge certificates for the source-forge mirrors and
potentially deliver our users forged files (if MitM attacks are possible
as well).
So I guess it's better to be sceptical... especially since rkhunter
runs as root.


As I said, I don't wanna claim that rkhunter wouldn't do this cleanly,
since I haven't checked it... but even if secure, there comes the
following:




2) if packages "update" themselves, they circumvent the package management
system, which no only does everything from (1) correctly... it should
also be the central point of the system, that updates software and its
code, with only very few execptions (typically highly volatile stuff
like spam filter rules, or virus definition files).

If anything new goes to rkhunter, it should go to Debian via a porper
package upgrade, not via some of rkhunter's own update functions.





That being said,... if you agree, than I think the following changes
to the default confiugration hopefully do the job:

ROTATE_MIRRORS=0 (not strictly necessary)
UPDATE_MIRRORS=0 (do not update mirrors)
MIRRORS_MODE=1 (only use local mirrors, never even try to get anything remote)
UPDATE_LANG=en (do not update language files)
WEB_CMD=/bin/false (let any downloading fail)

Apart from that, --update seems to not work anyway (at least for me
it always fails, even without the options from above).


Cheers,
Chris.
--- End Message ---
--- Begin Message ---
Source: rkhunter
Source-Version: 1.4.2-0.4+deb8u1

We believe that the bug you reported is fixed in the latest version of
rkhunter, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 765...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Francois Marier  (supplier of updated rkhunter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 11 Jul 2017 20:17:08 -0700
Source: rkhunter
Binary: rkhunter
Architecture: source all
Version: 1.4.2-0.4+deb8u1
Distribution: jessie
Urgency: high
Maintainer: Debian Forensics 
Changed-By: Francois Marier 
Description:
 rkhunter   - rootkit, backdoor, sniffer and exploit scanner
Closes: 765895 866677
Changes:
 rkhunter (1.4.2-0.4+deb8u1) jessie; urgency=high
 .
   * Disable remote updates to fix CVE-2017-7480 and prevent bugs like
 it in the future (closes: #765895, #866677)
Checksums-Sha1:
 45834ddf4054f6f90c9ee0655c0e7208c5a384ff 2048 rkhunter_1.4.2-0.4+deb8u1.dsc
 da01bc6757e14549560ad6ea46d1e93dbf5ac90f 277707 rkhunter_1.4.2.orig.tar.gz
 

Bug#765895: marked as done (rkhunter: maybe the Debian version should deactivate any update functionality)

[Debian Bug Tracking System]

Your message dated Sat, 15 Jul 2017 22:17:23 +
with message-id 
and subject line Bug#765895: fixed in rkhunter 1.4.2-6+deb9u1
has caused the Debian Bug report #765895,
regarding rkhunter: maybe the Debian version should deactivate any update 
functionality
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
765895: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765895
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rkhunter
Version: 1.4.2-0.1
Severity: wishlist
Tags: security


Hi.

This is something for consideration:
rkhunter has this "updating" functionality, which apparently downloads
new stuff from the web, updates the mirrors list and so on.


In a way I feel that this should be disabled (at lest per default) in
Debian for several reasons:


1) security
While I haven't checked rkhunter in specific, downloading stuff from the,
especially new code or pattern files or anything that is actually
used by a program is always really tricky and difficult.

Signing alone is by far not enough, as this often still allows for
blocking/downgrading attacks.

Some time ago I've started a longer thread about this on debian-devel...


It seems to use wget/curl per default for downloading, which means at
best, everything is SSL/TLS secured,... which basically means no security
at all.
wget/curl, both use per default still SSLv3 (which is broken since POODLE,
latestly)... and even worse,... any CA which is activated in the system,
which is per default a big list, including such untrustworthy fellows
as CNNIC) could forge certificates for the source-forge mirrors and
potentially deliver our users forged files (if MitM attacks are possible
as well).
So I guess it's better to be sceptical... especially since rkhunter
runs as root.


As I said, I don't wanna claim that rkhunter wouldn't do this cleanly,
since I haven't checked it... but even if secure, there comes the
following:




2) if packages "update" themselves, they circumvent the package management
system, which no only does everything from (1) correctly... it should
also be the central point of the system, that updates software and its
code, with only very few execptions (typically highly volatile stuff
like spam filter rules, or virus definition files).

If anything new goes to rkhunter, it should go to Debian via a porper
package upgrade, not via some of rkhunter's own update functions.





That being said,... if you agree, than I think the following changes
to the default confiugration hopefully do the job:

ROTATE_MIRRORS=0 (not strictly necessary)
UPDATE_MIRRORS=0 (do not update mirrors)
MIRRORS_MODE=1 (only use local mirrors, never even try to get anything remote)
UPDATE_LANG=en (do not update language files)
WEB_CMD=/bin/false (let any downloading fail)

Apart from that, --update seems to not work anyway (at least for me
it always fails, even without the options from above).


Cheers,
Chris.
--- End Message ---
--- Begin Message ---
Source: rkhunter
Source-Version: 1.4.2-6+deb9u1

We believe that the bug you reported is fixed in the latest version of
rkhunter, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 765...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Francois Marier  (supplier of updated rkhunter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 12 Jul 2017 03:07:17 +
Source: rkhunter
Binary: rkhunter
Architecture: source all
Version: 1.4.2-6+deb9u1
Distribution: stable
Urgency: high
Maintainer: Debian Forensics 
Changed-By: Francois Marier 
Description:
 rkhunter   - rootkit, backdoor, sniffer and exploit scanner
Closes: 765895 866677
Changes:
 rkhunter (1.4.2-6+deb9u1) stable; urgency=high
 .
   * Disable remote updates to fix CVE-2017-7480 and prevent bugs like
 it in the future (closes: #765895, #866677)
Checksums-Sha1:
 41e927f0fe49875118a6329637cfe59cf133228b 2082 rkhunter_1.4.2-6+deb9u1.dsc
 da01bc6757e14549560ad6ea46d1e93dbf5ac90f 277707 rkhunter_1.4.2.orig.tar.gz
 

Bug#765895: marked as done (rkhunter: maybe the Debian version should deactivate any update functionality)

[Debian Bug Tracking System]

Your message dated Wed, 05 Jul 2017 18:05:02 +
with message-id 
and subject line Bug#765895: fixed in rkhunter 1.4.4-2
has caused the Debian Bug report #765895,
regarding rkhunter: maybe the Debian version should deactivate any update 
functionality
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
765895: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765895
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rkhunter
Version: 1.4.2-0.1
Severity: wishlist
Tags: security


Hi.

This is something for consideration:
rkhunter has this "updating" functionality, which apparently downloads
new stuff from the web, updates the mirrors list and so on.


In a way I feel that this should be disabled (at lest per default) in
Debian for several reasons:


1) security
While I haven't checked rkhunter in specific, downloading stuff from the,
especially new code or pattern files or anything that is actually
used by a program is always really tricky and difficult.

Signing alone is by far not enough, as this often still allows for
blocking/downgrading attacks.

Some time ago I've started a longer thread about this on debian-devel...


It seems to use wget/curl per default for downloading, which means at
best, everything is SSL/TLS secured,... which basically means no security
at all.
wget/curl, both use per default still SSLv3 (which is broken since POODLE,
latestly)... and even worse,... any CA which is activated in the system,
which is per default a big list, including such untrustworthy fellows
as CNNIC) could forge certificates for the source-forge mirrors and
potentially deliver our users forged files (if MitM attacks are possible
as well).
So I guess it's better to be sceptical... especially since rkhunter
runs as root.


As I said, I don't wanna claim that rkhunter wouldn't do this cleanly,
since I haven't checked it... but even if secure, there comes the
following:




2) if packages "update" themselves, they circumvent the package management
system, which no only does everything from (1) correctly... it should
also be the central point of the system, that updates software and its
code, with only very few execptions (typically highly volatile stuff
like spam filter rules, or virus definition files).

If anything new goes to rkhunter, it should go to Debian via a porper
package upgrade, not via some of rkhunter's own update functions.





That being said,... if you agree, than I think the following changes
to the default confiugration hopefully do the job:

ROTATE_MIRRORS=0 (not strictly necessary)
UPDATE_MIRRORS=0 (do not update mirrors)
MIRRORS_MODE=1 (only use local mirrors, never even try to get anything remote)
UPDATE_LANG=en (do not update language files)
WEB_CMD=/bin/false (let any downloading fail)

Apart from that, --update seems to not work anyway (at least for me
it always fails, even without the options from above).


Cheers,
Chris.
--- End Message ---
--- Begin Message ---
Source: rkhunter
Source-Version: 1.4.4-2

We believe that the bug you reported is fixed in the latest version of
rkhunter, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 765...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Francois Marier  (supplier of updated rkhunter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 05 Jul 2017 10:39:31 -0700
Source: rkhunter
Binary: rkhunter
Architecture: source all
Version: 1.4.4-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Forensics 
Changed-By: Francois Marier 
Description:
 rkhunter   - rootkit, backdoor, sniffer and exploit scanner
Closes: 765895
Changes:
 rkhunter (1.4.4-2) unstable; urgency=medium
 .
   * Disable remote updates to prevent bugs like CVE-2017-7480 in the
 future (closes: #765895).
   * Include db files in md5sums and remove lintian overrides.
   * Use standard file permissions for db files and remove lintian overrides.
Checksums-Sha1:
 9bc46b375973ee754a764e42d345b59f7e278bfd 2083 rkhunter_1.4.4-2.dsc