Paul Cartwright [2010.11.20 1528 -0500]: > On 11/20/2010 03:14 PM, Boyd Stephen Smith Jr. wrote: > >> >Warning: Application 'gpg', version '1.4.10', is out of date, and > >> >possibly a > >> >security risk. Warning: Application 'openssl', version '0.9.8n', is out of > >> >date, and possibly a security risk. Warning: Application 'sshd', version > >> >'5.5p1', is out of date, and possibly a security risk. > >> > > >> > > > > > I does look like "gnupg" and "openssl" have received some updates since the > > Lenny release, and "openssl" got some from the security team specifically. > > "openssh-server" hasn't been updated since the Lenny release, AFAIK. > > > > If there is a specific vulnerability you are concerned about, asking on > > debian-security for the status of a fix might be appropriate. As far as > > unknown threats go, there may be security flaws in the Lenny versions that > > are > > fixed upstream, but there may also be new flaws introduced upstream and are > > not in the Lenny versions. > I am not so much concerned about about vulnerability as I am rkhunter > giving me a warning about "up-2-date" apps.. > openssl might concern me, because I use ssl.. same with ssh.. since MOST > of what I do is behind my router, I am not very public internet facing.. > I just don't like getting messages that tell me something is NOT > uptodate, when I am ALWAYS up to date..
If I recall correctly from a previous thread on this list, rkhunter simply tests whether you have the most recent version of these applications installed and warns you if you don't. I simply ignored these warnings when I got them. If I understand the documentation of rkhunter (which is very sparse) correctly, you can eliminate these warnings by adding ATTRWHITELIST=<path to gpg> and the same for anything else you get these warnings for to /etc/rkhunter.conf. Again, if I understand correctly, this will also turn off other attribute checks for these programs, including uid/gid, etc. Since these may be useful checks to detect malicious modifications on your system, you may not want to do this. Cheers, Norbert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101120205740.gd3...@cs.dal.ca
