[Bug 493607] Re: rkhunter reports openssl and sshd versions out of date
** Changed in: rkhunter (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/493607 Title: rkhunter reports openssl and sshd versions out of date -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 493607] Re: rkhunter reports openssl and sshd versions out of date
Please note: One has to have a blank at the start and the end of the APP_WHITELIST in rkhunter.conf. Like APP_WHITELIST=" openssl:0.9.8g sshd:4.7p1 " otherwise first and last entry will never match, as the test used is if [ -n "`echo \"${APP_WHITELIST}\" | grep \" ${APPLICATION}:${RKHTMPVAR} \"`" ]; then ... :-( Hope this saves others some time. -- rkhunter reports openssl and sshd versions out of date https://bugs.launchpad.net/bugs/493607 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 493607] Re: rkhunter reports openssl and sshd versions out of date
** Changed in: rkhunter (Debian) Status: Unknown => Fix Released -- rkhunter reports openssl and sshd versions out of date https://bugs.launchpad.net/bugs/493607 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 493607] Re: rkhunter reports openssl and sshd versions out of date
On Thu, Dec 17, 2009 at 7:52 PM, Andrew Cholakian wrote: > furicle, while it is true that Ubuntu backports fixes from upstream > versions its incorrect to say that the version number doesn't change. > For instance, on Hardy at the moment the current version of PHP is PHP > 5.2.4-2ubuntu5.9 , Ubuntu doesn't increment the 5.2.4-2 part, but it > does increment the ubuntu5.9 part. For the white list scheme to work, > every Ubuntu package rkhunter looks at would have to synchronize its > releases with concurrent updates of the rkhunter white list. That hardly > seems worth it to me. But rkhunter does not check the packaging version number with the appcheck - just the 'upstream' version number. That doesn't change. It's only a handful of packages, once every six months. It's really not a big deal. That line I provided is all it takes. The packaging changes are covered via the apt system in a different way. That's why apt is hooked to run rkhunter --propupd when you install/upgrade. -- rkhunter reports openssl and sshd versions out of date https://bugs.launchpad.net/bugs/493607 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 493607] Re: rkhunter reports openssl and sshd versions out of date
furicle, while it is true that Ubuntu backports fixes from upstream versions its incorrect to say that the version number doesn't change. For instance, on Hardy at the moment the current version of PHP is PHP 5.2.4-2ubuntu5.9 , Ubuntu doesn't increment the 5.2.4-2 part, but it does increment the ubuntu5.9 part. For the white list scheme to work, every Ubuntu package rkhunter looks at would have to synchronize its releases with concurrent updates of the rkhunter white list. That hardly seems worth it to me. Additionally, since those applications would be white listed, the user wouldn't even know they were vulnerable unless they somehow updated rkhunter with updating any other packages (since those other packages would presumably already be patched). The white list just doesn't make sense with Ubuntu packages. The only real solution is to maintain a separate version of rkhunter's bad package database, and I don't see anyone volunteering to do that. I personally hardly think its worth it. -- rkhunter reports openssl and sshd versions out of date https://bugs.launchpad.net/bugs/493607 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 493607] Re: rkhunter reports openssl and sshd versions out of date
On Thu, Dec 17, 2009 at 12:23 PM, Andrew Cholakian wrote: > furicle, > > It looks to me that every security release would require an update to > the white list unless I'm mistaken. I don't so. The problem is because they (Debian based distros like Ubuntu) PATCH the current version INSTEAD of updating. So the version number never changes. The .deb gets updated, but the base version number is static. The config file would change for every release - but it does anyway because they package the new version for every release. It's not any more work than currently *as I understand the process* Brian -- rkhunter reports openssl and sshd versions out of date https://bugs.launchpad.net/bugs/493607 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 493607] Re: rkhunter reports openssl and sshd versions out of date
furicle, It looks to me that every security release would require an update to the white list unless I'm mistaken. I just don't see this happening. Flat out skipping the apps check will likely be more practical for rkhunter's maintainer. It's been about a week since this was reported, and the package still hasn't gotten the love it needs. I don't see Ubuntu maintaining an up to date white list as something that, for better or worse, is likely to happen. My thinking is, if the white list regularly goes out of sync people will just get irritated by the false positives and either disable apps checking themselves, uninstall rkhunter, or just ignore all positives. -- rkhunter reports openssl and sshd versions out of date https://bugs.launchpad.net/bugs/493607 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 493607] Re: rkhunter reports openssl and sshd versions out of date
On Wed, Dec 16, 2009 at 12:45 PM, Andrew Cholakian wrote: > It does appear that adding 'apps' to the DISABLE_TESTS option in > /etc/rkhunter.conf does work. Sure, but wouldn't it be better to only whitelist certain versions rather than skipping them altogether? Keep the whitelist as tight as possible rather than skipping the checks all together -- rkhunter reports openssl and sshd versions out of date https://bugs.launchpad.net/bugs/493607 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 493607] Re: rkhunter reports openssl and sshd versions out of date
It does appear that adding 'apps' to the DISABLE_TESTS option in /etc/rkhunter.conf does work. -- rkhunter reports openssl and sshd versions out of date https://bugs.launchpad.net/bugs/493607 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 493607] Re: rkhunter reports openssl and sshd versions out of date
My apologies, it appears that the --skip-application-check flag doesn't work after all. -- rkhunter reports openssl and sshd versions out of date https://bugs.launchpad.net/bugs/493607 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 493607] Re: rkhunter reports openssl and sshd versions out of date
An easier way to bypass this than white listing (at least for cron jobs) is to simply have it skip the application check. Just set the environment variable $RK_OPT to '--skip-version-check'. The rkhunter cron job automatically adds the contents of $RK_OPT to the rkhunter command line. -- rkhunter reports openssl and sshd versions out of date https://bugs.launchpad.net/bugs/493607 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 493607] Re: rkhunter reports openssl and sshd versions out of date
** Bug watch added: Debian Bug tracker #560157 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560157 ** Also affects: rkhunter (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560157 Importance: Unknown Status: Unknown ** Changed in: rkhunter (Ubuntu) Status: New => Confirmed -- rkhunter reports openssl and sshd versions out of date https://bugs.launchpad.net/bugs/493607 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 493607] Re: rkhunter reports openssl and sshd versions out of date
About the colons, look in /var/log/rkhunter, and it'll tell you exactly what to whitelist. For named, I had to use "named:9.4.2". Still, it seems silly that I have to whitelist apps that are in Ubuntu because of a root-kit checker that is in Ubuntu. I would have hoped that the distro would be more internally consistent. As it stands, I have spent a little time this morning to make sure that I do not get a bunch of false-positive emails from all of my servers. Those got old very quickly. Alan -- rkhunter reports openssl and sshd versions out of date https://bugs.launchpad.net/bugs/493607 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs