FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 11-20-2010, 12:08 PM
Paul Cartwright
 
Default rkhunter report

I run rkhunter, and today I got this report:

Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk.
Warning: Application 'openssl', version '0.9.8n', is out of date, and possibly a security risk.
Warning: Application 'sshd', version '5.5p1', is out of date, and possibly a security risk.


I am running Lenny, up-2-date.. is this something I can do anything about?

--
Paul Cartwright
Registered Linux user # 367800



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4CE7C832.7010308@pcartwright.com">http://lists.debian.org/4CE7C832.7010308@pcartwright.com
 
Old 11-20-2010, 07:14 PM
"Boyd Stephen Smith Jr."
 
Default rkhunter report

In <4CE7C832.7010308@pcartwright.com>, Paul Cartwright wrote:
>I run rkhunter, and today I got this report:
>
>Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a
>security risk. Warning: Application 'openssl', version '0.9.8n', is out of
>date, and possibly a security risk. Warning: Application 'sshd', version
>'5.5p1', is out of date, and possibly a security risk.
>
>
>I am running Lenny, up-2-date.. is this something I can do anything about?

Well, it would help if rkhunter was more specific. The Debian security team
will sometimes take security fixes from newer releases and apply them to the
packages in stable without bumping the version number reported by the
software.

I does look like "gnupg" and "openssl" have received some updates since the
Lenny release, and "openssl" got some from the security team specifically.
"openssh-server" hasn't been updated since the Lenny release, AFAIK.

If there is a specific vulnerability you are concerned about, asking on
debian-security for the status of a fix might be appropriate. As far as
unknown threats go, there may be security flaws in the Lenny versions that are
fixed upstream, but there may also be new flaws introduced upstream and are
not in the Lenny versions.

Debian policy is that no new upstream versions enter stable, so if you would
be more comfortable with newer versions, you'll have to pull from backports,
testing, unstable, or possibly even experimental. gnupg 1.4.11 is in
experimental; openssl 0.9.8o is in testing and unstable; openssh-server 5.6p1
is in experimental. During a freeze (like now) some packages are uploaded to
experimental instead of unstable not for any package(ing) specific reason, but
to make fixing RC bugs in testing easier. After the freeze you should see
these (or newer) versions uploaded to unstable within days.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 11-20-2010, 07:28 PM
Paul Cartwright
 
Default rkhunter report

On 11/20/2010 03:14 PM, Boyd Stephen Smith Jr. wrote:
>> >Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a
>> >security risk. Warning: Application 'openssl', version '0.9.8n', is out of
>> >date, and possibly a security risk. Warning: Application 'sshd', version
>> >'5.5p1', is out of date, and possibly a security risk.
>> >
>> >
>
> I does look like "gnupg" and "openssl" have received some updates since the
> Lenny release, and "openssl" got some from the security team specifically.
> "openssh-server" hasn't been updated since the Lenny release, AFAIK.
>
> If there is a specific vulnerability you are concerned about, asking on
> debian-security for the status of a fix might be appropriate. As far as
> unknown threats go, there may be security flaws in the Lenny versions that are
> fixed upstream, but there may also be new flaws introduced upstream and are
> not in the Lenny versions.
I am not so much concerned about about vulnerability as I am rkhunter
giving me a warning about "up-2-date" apps..
openssl might concern me, because I use ssl.. same with ssh.. since MOST
of what I do is behind my router, I am not very public internet facing..
I just don't like getting messages that tell me something is NOT
uptodate, when I am ALWAYS up to date..


--
Paul Cartwright
Registered Linux user # 367800



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4CE82F6E.3030401@pcartwright.com">http://lists.debian.org/4CE82F6E.3030401@pcartwright.com
 
Old 11-20-2010, 07:46 PM
Brian
 
Default rkhunter report

On Sat 20 Nov 2010 at 15:28:30 -0500, Paul Cartwright wrote:

> I just don't like getting messages that tell me something is NOT
> uptodate, when I am ALWAYS up to date..

Well, don't run applications which output spurious warnings as a matter
of course. Purging rkhunter will do wonders for your blood pressure
without endangering your system.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101120204657.GE20623@desktop">http://lists.debian.org/20101120204657.GE20623@desktop
 
Old 11-20-2010, 07:57 PM
Norbert Zeh
 
Default rkhunter report

Paul Cartwright [2010.11.20 1528 -0500]:
> On 11/20/2010 03:14 PM, Boyd Stephen Smith Jr. wrote:
> >> >Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a
> >> >security risk. Warning: Application 'openssl', version '0.9.8n', is out of
> >> >date, and possibly a security risk. Warning: Application 'sshd', version
> >> >'5.5p1', is out of date, and possibly a security risk.
> >> >
> >> >
> >
> > I does look like "gnupg" and "openssl" have received some updates since the
> > Lenny release, and "openssl" got some from the security team specifically.
> > "openssh-server" hasn't been updated since the Lenny release, AFAIK.
> >
> > If there is a specific vulnerability you are concerned about, asking on
> > debian-security for the status of a fix might be appropriate. As far as
> > unknown threats go, there may be security flaws in the Lenny versions that are
> > fixed upstream, but there may also be new flaws introduced upstream and are
> > not in the Lenny versions.
> I am not so much concerned about about vulnerability as I am rkhunter
> giving me a warning about "up-2-date" apps..
> openssl might concern me, because I use ssl.. same with ssh.. since MOST
> of what I do is behind my router, I am not very public internet facing..
> I just don't like getting messages that tell me something is NOT
> uptodate, when I am ALWAYS up to date..

If I recall correctly from a previous thread on this list, rkhunter
simply tests whether you have the most recent version of these
applications installed and warns you if you don't. I simply ignored
these warnings when I got them. If I understand the documentation of
rkhunter (which is very sparse) correctly, you can eliminate these
warnings by adding

ATTRWHITELIST=<path to gpg>

and the same for anything else you get these warnings for to
/etc/rkhunter.conf. Again, if I understand correctly, this will also
turn off other attribute checks for these programs, including uid/gid,
etc. Since these may be useful checks to detect malicious modifications
on your system, you may not want to do this.

Cheers,
Norbert


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101120205740.GD3927@cs.dal.ca">http://lists.debian.org/20101120205740.GD3927@cs.dal.ca
 
Old 11-20-2010, 07:59 PM
"Boyd Stephen Smith Jr."
 
Default rkhunter report

In <4CE82F6E.3030401@pcartwright.com>, Paul Cartwright wrote:
>On 11/20/2010 03:14 PM, Boyd Stephen Smith Jr. wrote:
>>> >Warning: Application 'gpg', version '1.4.10', is out of date, and
>>> >possibly a security risk. Warning: Application 'openssl', version
>>> >'0.9.8n', is out of date, and possibly a security risk. Warning:
>>> >Application 'sshd', version '5.5p1', is out of date, and possibly a
>>> >security risk.
>>
>> If there is a specific vulnerability you are concerned about, asking on
>> debian-security for the status of a fix might be appropriate.
>
>I am not so much concerned about about vulnerability as I am rkhunter
>giving me a warning about "up-2-date" apps..

File a bug against rkhunter, then.

>I just don't like getting messages that tell me something is NOT
>uptodate, when I am ALWAYS up to date..

Many people don't consider Debian stable up-to-date even with packages from
security.debian.org and volatile.debian.org in use. It is possible that the
development / release team of rkhunter contains some of those people.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 11-20-2010, 08:14 PM
Paul Cartwright
 
Default rkhunter report

On 11/20/2010 03:59 PM, Boyd Stephen Smith Jr. wrote:
> File a bug against rkhunter, then.
that is a thought..
>> >I just don't like getting messages that tell me something is NOT
>> >uptodate, when I am ALWAYS up to date..
> Many people don't consider Debian stable up-to-date even with packages from
> security.debian.org and volatile.debian.org in use. It is possible that the
> development / release team of rkhunter contains some of those people.
> --
I have volatile commented out in my sources.list.. should I be using it?
sources.list:

deb http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb http://ftp.de.debian.org/debian lenny main
deb-src http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb http://security.us.debian.org/ lenny/updates main contrib non-free
deb http://tovid.sourceforge.net/download/debian lenny contrib
deb-src http://tovid.sourceforge.net/download/debian lenny contrib
deb http://deb.opera.com/opera/ lenny non-free
deb http://download.skype.com/linux/repos/debian/ stable non-free

######### End of suggested Stable repos ###########
### EXTERNAL SOURCES ###

# for avasys for Epson printing
deb http://www.da-cha.jp/debian/dists/etch ./

#backports go here:
deb http://www.backports.org/debian lenny-backports main contrib non-free
deb http://ftp.debian.org/debian lenny main contrib non-free
deb http://www.debian-multimedia.org lenny main
# added linuxfoundation-openprinting for HPLIP
deb http://www.openprinting.org/download/printdriver/debian/ lsb3.2 main
deb http://ftp.us.debian.org/debian/ lenny-proposed-updates contrib
non-free main
deb-src http://ftp.us.debian.org/debian/ lenny-proposed-updates contrib
non-free main
deb http://security.debian.org/ lenny/updates contrib non-free main
deb-src http://security.debian.org/ lenny/updates contrib non-free main

##spotify
deb http://repository.spotify.com stable non-free


--
Paul Cartwright
Registered Linux user # 367800



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4CE83A40.5030801@pcartwright.com">http://lists.debian.org/4CE83A40.5030801@pcartwright.com
 
Old 11-20-2010, 08:46 PM
 
Default rkhunter report

On Sat, Nov 20, 2010 at 08:46:57PM +0000, Brian wrote:
>
> Well, don't run applications which output spurious warnings as a matter
> of course. Purging rkhunter will do wonders for your blood pressure
> without endangering your system.
>

I agree.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101120214652.GA23625@shellium.org">http://lists.debian.org/20101120214652.GA23625@shellium.org
 
Old 11-20-2010, 08:50 PM
Paul Cartwright
 
Default rkhunter report

On 11/20/2010 03:46 PM, Brian wrote:
> Well, don't run applications which output spurious warnings as a matter
> of course. Purging rkhunter will do wonders for your blood pressure
> without endangering your system.
are you saying rkhunter is not worth running?

--
Paul Cartwright
Registered Linux user # 367800



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4CE842C3.2040706@pcartwright.com">http://lists.debian.org/4CE842C3.2040706@pcartwright.com
 
Old 11-20-2010, 10:34 PM
"Boyd Stephen Smith Jr."
 
Default rkhunter report

In <4CE83A40.5030801@pcartwright.com>, Paul Cartwright wrote:
>On 11/20/2010 03:59 PM, Boyd Stephen Smith Jr. wrote:
>> Many people don't consider Debian stable up-to-date even with packages
>> from security.debian.org and volatile.debian.org in use. It is possible
>> that the development / release team of rkhunter contains some of those
>> people.
>
>I have volatile commented out in my sources.list.. should I be using it?

I recommend it, but there aren't that many packages in it anyway so you are
likely not missing anything.

Volatile is meant for updates to packages whose usefulness naturally degrades
as time passes, like virus scanners and spam filters. IIRC, occasionally IM
software is even updated when proprietary protocols change. Basically stuff
that loses functionality because of reasons outside of Debian's control. In
some ways it overlaps with backports, since new upstream versions are allowed
in some cases. It has been official much longer than backports, IIRC.

It isn't appropriate for fixing security flaws; that's what the security
repository is for. It isn't for new upstream versions because the new version
has additional features that the old version is lacking; that's what the
backports repository is for.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 

Thread Tools




All times are GMT. The time now is 09:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org