furicle, while it is true that Ubuntu backports fixes from upstream versions its incorrect to say that the version number doesn't change. For instance, on Hardy at the moment the current version of PHP is PHP 5.2.4-2ubuntu5.9 , Ubuntu doesn't increment the 5.2.4-2 part, but it does increment the ubuntu5.9 part. For the white list scheme to work, every Ubuntu package rkhunter looks at would have to synchronize its releases with concurrent updates of the rkhunter white list. That hardly seems worth it to me.
Additionally, since those applications would be white listed, the user wouldn't even know they were vulnerable unless they somehow updated rkhunter with updating any other packages (since those other packages would presumably already be patched). The white list just doesn't make sense with Ubuntu packages. The only real solution is to maintain a separate version of rkhunter's bad package database, and I don't see anyone volunteering to do that. I personally hardly think its worth it. -- rkhunter reports openssl and sshd versions out of date https://bugs.launchpad.net/bugs/493607 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
