Package: libkeyutils1
Version: 1.6.1-2
Severity: grave
Tags: security
Justification: user security hole
Hello!
After upgrading
[UPGRADE] libkeyutils1:amd64 1.6-6 -> 1.6.1-2
I get the following warning with
# rkhunter --sk -c
in /var/log/rkhunter.log:
Info: Starting test name 'running_procs'
Checking running processes for suspicious files [ Warning ]
Warning: The following processes are using suspicious files:
Command: sshd
UID: 0 PID: 7331
Pathname: /lib/x86_64-linux-gnu/libkeyutils.so.1.9
Possible Rootkit: Spam tool component
I tried to reinstall libkeyutils1/1.6.1-2, after checking the SHA256
checksum of the .deb file. The warning was issued again.
On the other hand, after downgrading to libkeyutils1/1.6-6
and restarting ssh
# service ssh restart
the warning vanishes.
Does libkeyutils1/1.6.1-2 ship a rootkit?
Or is it a false positive from rkhunter?
Please investigate.
Thanks for your time!
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (800, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libkeyutils1 depends on:
ii libc6 2.29-10
libkeyutils1 recommends no packages.
libkeyutils1 suggests no packages.
-- no debconf information
