package rkhunter severity 560157 thanks Hi Maxim,
Le mercredi 09 décembre 2009 à 11:34 +0100, maxim kammerer a écrit : > Package: rkhunter > Version: 1.3.2 > Severity: important > > > rkhunter is complaining about some packages installed on my system > (Lenny). I consider them security relevant and was quite a bit spooked > > upon having them reported as 'out of date' despite my running updates > against s.d.o every day. apt-cache also reports them as up-to-date. Applications are actually outdated, ie. new versions were released upstream. > Here's an excerpt from rkhunter's daily report: > > %< snip > > Warning: Application 'exim', version '4.69', is out of date, and > possibly a security risk. > Warning: Application 'gpg', version '1.4.9', is out of date, and > possibly a security risk. > Warning: Application 'openssl', version '0.9.8g', is out of date, and > possibly a security risk. > Warning: Application 'php', version '5.2.6', is out of date, and > possibly a security risk. > Warning: Application 'sshd', version '5.1p1', is out of date, and > possibly a security risk. > > %y eosnip > > Probably, rkhunter doesn't know about patches backported in lenny and > such and has been given a database which doesn't quite correspond with > > debian lenny.. Note that rkhunter advises against binaries > rather than packages, which supports the above thesis. You are right. However rkhunter does only state that a new version of an application has been released, and refers to a *possible* security risk. > I trust the debian security team more than rkhunter, still it is a > bit unsettling. You are right to trust the Debian Security Team. As stated, rkhunter outputs are warnings only, do not overestimate them. You can use the APP_WHITELIST option to whitelist application versions you trust. I think what happened is that upstream released version 1.3.6 very recently, and database were updated (either automatically through the weekly cronjob if you use it, or by hand running rkhunter --update) I do not consider this as a bug in rkhunter, which does its job, I will hence close this bug if you don't object (for now, I lower its priority to normal). Cheers, Julien -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
