Re: 'exim', version '4.69', is out of date

To: debian-user@lists.debian.org
Subject: Re: 'exim', version '4.69', is out of date
From: Camaleón <noelamac@gmail.com>
Date: Wed, 9 Dec 2009 14:03:53 +0000 (UTC)
Message-id: <[🔎] pan.2009.12.09.14.03.53@gmail.com>
References: <[🔎] 200912081627.42068.ale@pcartwright.com> <[🔎] pan.2009.12.08.21.37.14@gmail.com> <[🔎] 200912081748.24799.ale@pcartwright.com> <[🔎] pan.2009.12.09.07.03.26@gmail.com> <[🔎] 20091209121600.GX30903@pear.tzafrir.org.il> <[🔎] pan.2009.12.09.12.37.23@gmail.com> <[🔎] 20091209134533.GY30903@pear.tzafrir.org.il>

On Wed, 09 Dec 2009 13:45:39 +0000, Tzafrir Cohen wrote:

> On Wed, Dec 09, 2009 at 12:37:22PM +0000, Camaleón wrote:

>> > No. Rkhunter is not doing its job. Most of the installations of Exim
>> > in the world are by now "out of date". Hence Rkhunter is more likely
>> > to generate a false warning. Or even worse: to encourge the user to
>> > install an unsupported package.
>> 
>> Well, but it is "a fact" that is oudated. And that is the warning
>> Rkhunter is giving to the user. No more, no less.
> 
> It's not outdated.
> http://packages.debian.org/changelogs/pool/main/e/exim4/exim4_4.69-9/
changelog
> -- Andreas Metzler <ametzler@debian.org>  Tue, 30 Sep 2008 20:12:27
> +0200
> 
> Is this outdated?

Well, yes.

As per Exim's site, the current verion is 4.71. And "4.69" is "minor" 
than "4.71" :-)

But "outdated" does not means "insecure" per se. That is what I tried to 
make the OP to understand.

> Rkhunter assumes that a simple check of the version number will do. That
> assumption fails all too often.

Is how the program works. And one who install it have to know before hand 
what kind of warning provides.

Remember what the log said:

***
Warning: Application 'exim', version '4.69', is out of date, and possibly 
a security risk.
***

The program cannot know the full changelog between one version and 
another, and of course, also knows nothing about security issues that can 
arise in both versions. 

It just only "rings the bell" so the user can take the desired step (if 
any).

>> > So you basically your hunter is crying "old wolf" and you ignore it.
>> 
>> I don't know how Rkhunter works, but it should be configurable so the
>> user can select what kind of warning wants to receive.
> 
> So it's just the defaults that are wrong?

ClamAV, by the way, warns the user in a similar way: it floods the logs 
saying "eh, there is a newer version|signature files upstream, I need an 
update...".

And I don't think that is a "bad default" setting. It is just doing its 
job ;-)

Greetings,

-- 
Camaleón

Reply to:

Follow-Ups:
- Re: 'exim', version '4.69', is out of date
  - From: Tzafrir Cohen <tzafrir@cohens.org.il>
- RE: 'exim', version '4.69', is out of date
  - From: "Kevin Ross" <kevin@familyross.net>

References:
- 'exim', version '4.69', is out of date
  - From: Paul Cartwright <ale@pcartwright.com>
- Re: 'exim', version '4.69', is out of date
  - From: Camaleón <noelamac@gmail.com>
- Re: 'exim', version '4.69', is out of date
  - From: Paul Cartwright <ale@pcartwright.com>
- Re: 'exim', version '4.69', is out of date
  - From: Camaleón <noelamac@gmail.com>
- Re: 'exim', version '4.69', is out of date
  - From: Tzafrir Cohen <tzafrir@cohens.org.il>
- Re: 'exim', version '4.69', is out of date
  - From: Camaleón <noelamac@gmail.com>
- Re: 'exim', version '4.69', is out of date
  - From: Tzafrir Cohen <tzafrir@cohens.org.il>

Prev by Date: Re: debian support and laptops
Next by Date: Re: debian support and laptops
Previous by thread: Re: 'exim', version '4.69', is out of date
Next by thread: Re: 'exim', version '4.69', is out of date
Index(es):
- Date
- Thread