rkhunter worries?

[mkthnx001]

So I ran a scan with rkhunter, and noticed this in the output:

Code: Select all

[21:46:14]   Checking version of Exim MTA                    [ Warning ]
[21:46:14] Warning: Application 'exim', version '4.69', is out of date, and possibly a security risk.
[21:46:14]   Checking version of GnuPG                       [ Warning ]
[21:46:14] Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
[21:46:14] Info: Application 'httpd' not found.
[21:46:14] Info: Application 'named' not found.
[21:46:14]   Checking version of OpenSSL                     [ Warning ]
[21:46:14] Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
[21:46:14]   Checking version of OpenSSH                     [ Warning ]
[21:46:14] Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.

I'm pretty sure these are the latest versions of these programs released in Debian's packages, but I know they're not the latest ones released by said programs' developers.

Should I be worried, or not? Should I install the latest versions manually?

[Bulkley]

Try chkrootkit. Even rkhunter suggests that you supplement it with chkrootkit.

[dfirvida]

I think that not is a problem with a rootkit.

Today I have the same errors in 2 debian hosts and 2 ubuntu hosts. I think that is a problem with rkhunter packet or db.

Anyone have more info ?¿

[julian67]

It isn't a problem with either rkhunter or the Debian packages. The messages are in plain English, how about reading them and considering what they are saying?

version '#.##', is out of date, and possibly a security risk.

It's identifying packages which have a newer version available, that's all. Sometimes a newer package version is available upstream than in a distribution repository. This is usually going to be the case, especially with Debian stable. It doesn't mean there is a security issue. If you are worried you can check why a newer version was released (possible reasons being bugfix, security issue, feature enhancement, for the hell of it) and if it's a security issue then have a look at http://www.debian.org/security/ and reassure yourself that Debian issued a patch, and make sure that you keep your system up to date, at least with the security repo. Sometimes people get very excited about version numbers and assume that Debian stable contains older/vulnerable packages but generally the fixes are patched without upgrading to the latest version. Example: http://www.debian.org/security/2009/dsa-1933

Aaron Siegel discovered that the web interface of cups, the Common UNIX Printing System, is prone to cross-site scripting attacks.

For the oldstable distribution (etch), this problem has been fixed in version 1.2.7-4+etch9.

For the stable distribution (lenny), this problem has been fixed in version 1.3.8-1+lenny7.

So you can see the same fix has been applied to very different (and both old) versions of the package and anyone who keeps their system up to date needn't be concerned. Panic over.

rkhunter can be a very useful tool but it requires the end user to be familiar with their distro's release and security policies and practices.

[dfirvida]

crap!

http://sourceforge.net/mailarchive/foru ... nter-users

[advocatux]

Hi, just for the record and added information see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560157

As Julien Valroff points:

You can use the APP_WHITELIST option to whitelist application versions you trust.

I think what happened is that upstream released version 1.3.6 very recently, and database were updated (either automatically through the weekly cronjob if you use it, or by hand running rkhunter --update)