Package: libkeyutils1
Version: 1.6.1-2
Severity: grave
Tags: security
Justification: user security hole


After upgrading

  [UPGRADE] libkeyutils1:amd64 1.6-6 -> 1.6.1-2

I get the following warning with

  # rkhunter --sk -c 

in /var/log/rkhunter.log:

  Info: Starting test name 'running_procs'
    Checking running processes for suspicious files [ Warning ]
  Warning: The following processes are using suspicious files:
           Command: sshd
             UID: 0    PID: 7331
             Pathname: /lib/x86_64-linux-gnu/
             Possible Rootkit: Spam tool component

I tried to reinstall libkeyutils1/1.6.1-2, after checking the SHA256
checksum of the .deb file. The warning was issued again.

On the other hand, after downgrading to libkeyutils1/1.6-6
and restarting ssh

  # service ssh restart

the warning vanishes.

Does libkeyutils1/1.6.1-2 ship a rootkit?
Or is it a false positive from rkhunter?

Please investigate.
Thanks for your time!

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (800, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libkeyutils1 depends on:
ii  libc6  2.29-10

libkeyutils1 recommends no packages.

libkeyutils1 suggests no packages.

-- no debconf information

Reply via email to