In <4ce7c832.7010...@pcartwright.com>, Paul Cartwright wrote: >I run rkhunter, and today I got this report: > >Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a >security risk. Warning: Application 'openssl', version '0.9.8n', is out of >date, and possibly a security risk. Warning: Application 'sshd', version >'5.5p1', is out of date, and possibly a security risk. > > >I am running Lenny, up-2-date.. is this something I can do anything about?
Well, it would help if rkhunter was more specific. The Debian security team will sometimes take security fixes from newer releases and apply them to the packages in stable without bumping the version number reported by the software. I does look like "gnupg" and "openssl" have received some updates since the Lenny release, and "openssl" got some from the security team specifically. "openssh-server" hasn't been updated since the Lenny release, AFAIK. If there is a specific vulnerability you are concerned about, asking on debian-security for the status of a fix might be appropriate. As far as unknown threats go, there may be security flaws in the Lenny versions that are fixed upstream, but there may also be new flaws introduced upstream and are not in the Lenny versions. Debian policy is that no new upstream versions enter stable, so if you would be more comfortable with newer versions, you'll have to pull from backports, testing, unstable, or possibly even experimental. gnupg 1.4.11 is in experimental; openssl 0.9.8o is in testing and unstable; openssh-server 5.6p1 is in experimental. During a freeze (like now) some packages are uploaded to experimental instead of unstable not for any package(ing) specific reason, but to make fixing RC bugs in testing easier. After the freeze you should see these (or newer) versions uploaded to unstable within days. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
signature.asc
Description: This is a digitally signed message part.
