Re: rkhunter report

To: debian-user@lists.debian.org
Cc: debian@pcartwright.com
Subject: Re: rkhunter report
From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
Date: Sat, 20 Nov 2010 14:14:11 -0600
Message-id: <[🔎] 201011201414.22988.bss@iguanasuicide.net>
In-reply-to: <[🔎] 4CE7C832.7010308@pcartwright.com>
References: <[🔎] 4CE7C832.7010308@pcartwright.com>

In <[🔎] 4CE7C832.7010308@pcartwright.com>, Paul Cartwright wrote:
>I run rkhunter, and today I got this report:
>
>Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a
>security risk. Warning: Application 'openssl', version '0.9.8n', is out of
>date, and possibly a security risk. Warning: Application 'sshd', version
>'5.5p1', is out of date, and possibly a security risk.
>
>
>I am running Lenny, up-2-date.. is this something I can do anything about?

Well, it would help if rkhunter was more specific.  The Debian security team 
will sometimes take security fixes from newer releases and apply them to the 
packages in stable without bumping the version number reported by the 
software.

I does look like "gnupg" and "openssl" have received some updates since the 
Lenny release, and "openssl" got some from the security team specifically.  
"openssh-server" hasn't been updated since the Lenny release, AFAIK.

If there is a specific vulnerability you are concerned about, asking on 
debian-security for the status of a fix might be appropriate.  As far as 
unknown threats go, there may be security flaws in the Lenny versions that are 
fixed upstream, but there may also be new flaws introduced upstream and are 
not in the Lenny versions.

Debian policy is that no new upstream versions enter stable, so if you would 
be more comfortable with newer versions, you'll have to pull from backports, 
testing, unstable, or possibly even experimental.  gnupg 1.4.11 is in 
experimental; openssl 0.9.8o is in testing and unstable; openssh-server 5.6p1 
is in experimental.  During a freeze (like now) some packages are uploaded to 
experimental instead of unstable not for any package(ing) specific reason, but 
to make fixing RC bugs in testing easier.  After the freeze you should see 
these (or newer) versions uploaded to unstable within days.
-- 
Boyd Stephen Smith Jr.                   ,= ,-_-. =.
bss@iguanasuicide.net                   ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy         `-'(. .)`-'
http://iguanasuicide.net/                    \_/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: rkhunter report
  - From: Paul Cartwright <debian@pcartwright.com>

References:
- rkhunter report
  - From: Paul Cartwright <debian@pcartwright.com>

Prev by Date: Re: Is DRI supposed to work in xserver-xorg-video-intel?
Next by Date: Problems with cups/printconf on Squeeze and Sid
Previous by thread: rkhunter report
Next by thread: Re: rkhunter report
Index(es):
- Date
- Thread