Package: rkhunter Severity: wishlist Depending on wget is bad for security. As it is well known security related bugs are often exploited by providing shell code when input sanitizing is missing. That is why I do not install wget or curl on systems which need to be well protected.
This is the reason why I am not happy when security-related software depend on wget. I understand that there is no easy solution to this problem since rkhunter is a shell script, therefore the possibilities to connect to an HTTP server are limited to calling external programs. This wishlist bug should warn about the possible security risk when installing this program. A solution to this problem could involve appending a binary to the shell script in the spirit of "makeself" (see Debian package with the same name). The binary file would have the sole purpose of connecting to the server updating the database files. This way no exploit can ever misuse the rkhunter package or its dependencies which would mean a harder system. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
