Package: rkhunter Version: 1.3.2 Severity: important
rkhunter is complaining about some packages installed on my system (Lenny). I consider them security relevant and was quite a bit spooked upon having them reported as 'out of date' despite my running updates against s.d.o every day. apt-cache also reports them as up-to-date. Here's an excerpt from rkhunter's daily report: %< snip Warning: Application 'exim', version '4.69', is out of date, and possibly a security risk. Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk. Warning: Application 'php', version '5.2.6', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk. %y eosnip Probably, rkhunter doesn't know about patches backported in lenny and such and has been given a database which doesn't quite correspond with debian lenny.. Note that rkhunter advises against binaries rather than packages, which supports the above thesis. I trust the debian security team more than rkhunter, still it is a bit unsettling. -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
