Your message dated Wed, 05 Jul 2017 18:05:02 +0000 with message-id <e1dsofe-000dk5...@fasolo.debian.org> and subject line Bug#765895: fixed in rkhunter 1.4.4-2 has caused the Debian Bug report #765895, regarding rkhunter: maybe the Debian version should deactivate any update functionality to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 765895: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765895 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: rkhunter Version: 1.4.2-0.1 Severity: wishlist Tags: security Hi. This is something for consideration: rkhunter has this "updating" functionality, which apparently downloads new stuff from the web, updates the mirrors list and so on. In a way I feel that this should be disabled (at lest per default) in Debian for several reasons: 1) security While I haven't checked rkhunter in specific, downloading stuff from the, especially new code or pattern files or anything that is actually used by a program is always really tricky and difficult. Signing alone is by far not enough, as this often still allows for blocking/downgrading attacks. Some time ago I've started a longer thread about this on debian-devel... It seems to use wget/curl per default for downloading, which means at best, everything is SSL/TLS secured,... which basically means no security at all. wget/curl, both use per default still SSLv3 (which is broken since POODLE, latestly)... and even worse,... any CA which is activated in the system, which is per default a big list, including such untrustworthy fellows as CNNIC) could forge certificates for the source-forge mirrors and potentially deliver our users forged files (if MitM attacks are possible as well). So I guess it's better to be sceptical... especially since rkhunter runs as root. As I said, I don't wanna claim that rkhunter wouldn't do this cleanly, since I haven't checked it... but even if secure, there comes the following: 2) if packages "update" themselves, they circumvent the package management system, which no only does everything from (1) correctly... it should also be the central point of the system, that updates software and its code, with only very few execptions (typically highly volatile stuff like spam filter rules, or virus definition files). If anything new goes to rkhunter, it should go to Debian via a porper package upgrade, not via some of rkhunter's own update functions. That being said,... if you agree, than I think the following changes to the default confiugration hopefully do the job: ROTATE_MIRRORS=0 (not strictly necessary) UPDATE_MIRRORS=0 (do not update mirrors) MIRRORS_MODE=1 (only use local mirrors, never even try to get anything remote) UPDATE_LANG=en (do not update language files) WEB_CMD=/bin/false (let any downloading fail) Apart from that, --update seems to not work anyway (at least for me it always fails, even without the options from above). Cheers, Chris.
--- End Message ---
--- Begin Message ---Source: rkhunter Source-Version: 1.4.4-2 We believe that the bug you reported is fixed in the latest version of rkhunter, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 765...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Francois Marier <franc...@debian.org> (supplier of updated rkhunter package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 05 Jul 2017 10:39:31 -0700 Source: rkhunter Binary: rkhunter Architecture: source all Version: 1.4.4-2 Distribution: unstable Urgency: medium Maintainer: Debian Forensics <forensics-devel@lists.alioth.debian.org> Changed-By: Francois Marier <franc...@debian.org> Description: rkhunter - rootkit, backdoor, sniffer and exploit scanner Closes: 765895 Changes: rkhunter (1.4.4-2) unstable; urgency=medium . * Disable remote updates to prevent bugs like CVE-2017-7480 in the future (closes: #765895). * Include db files in md5sums and remove lintian overrides. * Use standard file permissions for db files and remove lintian overrides. Checksums-Sha1: 9bc46b375973ee754a764e42d345b59f7e278bfd 2083 rkhunter_1.4.4-2.dsc 3fa03853195746f5a0dae1baa3a0ba11997a56b5 26328 rkhunter_1.4.4-2.debian.tar.xz f79eeb0768e4c0b5c4bdacda56baed5db3cbbd4c 251448 rkhunter_1.4.4-2_all.deb e0246e2b93a0e49edbba7d34155079dba06ac4ad 5577 rkhunter_1.4.4-2_amd64.buildinfo Checksums-Sha256: 43d750ef7f66f7c15125ea6840f2eacab44c48d7f07aa01e13e46d1b8d639c2b 2083 rkhunter_1.4.4-2.dsc 6828212eda0972569da8b21c9f843772dc7d111883c9197eede4d52632e0bbae 26328 rkhunter_1.4.4-2.debian.tar.xz 28233d221fe74acfa39e3dd82cf1ad9b1fe1619c48a20869d199342cdfbca760 251448 rkhunter_1.4.4-2_all.deb f39be8a965fc19acea1b7989f58fae5bd84da107218fd4e8e146ba1eb5348301 5577 rkhunter_1.4.4-2_amd64.buildinfo Files: 26c7c5e506987f0613cabbd33dd92de3 2083 admin optional rkhunter_1.4.4-2.dsc 52db5487aa1000b155137b022a59ae59 26328 admin optional rkhunter_1.4.4-2.debian.tar.xz 902938cf3209214fff2586ca28eb4855 251448 admin optional rkhunter_1.4.4-2_all.deb 9a0ba05f1e396027d10447cafd3f4e42 5577 admin optional rkhunter_1.4.4-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKoBAEBCgCSFiEEjEcLKgsxVo4RDUMlFigfLgB8mNEFAlldJrxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDhD NDcwQjJBMEIzMTU2OEUxMTBENDMyNTE2MjgxRjJFMDA3Qzk4RDEUHGZyYW5jb2lz QGRlYmlhbi5vcmcACgkQFigfLgB8mNEE8w/8Dn1IHXUJ4TW0P2i1XqxbTw9z0hsG szAvctXHVqViLFF6WCBQeUxU7Cl/xu9tMdV87tTmd4b3XNPed5dHwEN7M72BbZ+Z GPDGgARX0hlJpQ2NqrvLKNl/l9lxAsywdyRjzPf/47DNrQ51vmjA+hhfp+sWFPm9 ms5gQ/uQIqOASHbmq4bYEDRE9ddeEhQqLfRsz5SN8z80mHP/e1+NkcGc8bFywx1o deMDpTm3SmL1dn7lDo0o+wfFBCdnjG/GQ4I8jwV7fYcLpOH9RmDx8itOgQCD2dQ7 4ia4U2gRhAalgnh6atxO9ZYzMwYIutSgGOqu5oUiSz/ow8ppmmYlShgdZH9bbFg5 jHQ4rf8gBPsRnUdS32rEVT5ZByw6mdyxsn/8vhxfYNssmZty5yhs9frW4R6TUgny nW9Fx7sr+zayAbbsLTbh6ypxB2bqr1ihiagnMKTU7sy6VP4J79+Ymivpd9+OdYDB igJ1xXYoLZqrI1Q/5hZUSGqFpQFd974t4GmbNFI4XhTo8fIqjW0hX++IJwPuFQvs WiRfN7cpHRy3SZgH5iFtK0QQ5RkN8GpsG6l2yp3z6hJKJJ4T7yWUGd9vt3LOOzaS H0sRdHftPNksMRiPV0nvKNs0SQ1DcixJHezcJ7XtFiWw2JkGTTR35n83t6Hp9eSp Exd9bZRiozmKWC4= =6Tlb -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ forensics-devel mailing list forensics-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel
