Topic: RKHunter say Apache/GNUPG/OPENSSL and ProFTPd are vulnerable

[trakker]

RKHunter states
apache 1.3.27
gnupg 1.0.7
openssl 0.9.6b
and
proftp 1.2.9

are vulnerable, but I can't seem to find any updates for these (or info regarding the vulnerability either)

Any help here?

Thanks

Trakker

[trakker]

Just found a new update script (these forums)

Thanks

Trakker

[CharlieBrady]

RKHunter states
apache 1.3.27
gnupg 1.0.7
openssl 0.9.6b
and
proftp 1.2.9

are vulnerable, but I can't seem to find any updates for these (or info regarding the vulnerability either)

RKHunter could be wrong. It very likely is wrong if it is depending just on version numbers to infer that software is vulnerable. All of those packages you have identified have had various patches applied. And gnupg isn't even used.

If you ever think you've discovered a security vulnerability, send mail to security@contribs.org. That way contribs.org have a chance to fix it before you tell the world about the problem. Or they get a chance to explain to you why there isn't a problem.

[trakker]

Thanks Charlie,

didn't mean to blab to the world about a supposed vulnerability...

Am relatively new to Linux (but have been using SME since version 5 (2 x Dell 650's in business setting))

again, my apologies....

Trakker

[slords]

rkhunter is such a load of #$&%#$!!  All it does is scan your system for packages and compares it to a list of version numbers.  If it doesn't match the latest version then it says you are vulnerable.

What it shoul really be called is "checkforlatestversion".  That is all it really does.

-Shad

[marsa_matruh]

Or they get a chance to explain to you why there isn't a problem.

In that case, can you also put the answer somewhere on contribs.org website? So, everybody can know that there is no need to upgrade apache, gnupg, openssl, proftp, php and some more ...

(May be, nobody is doing security reports)

[duncan]

Or they get a chance to explain to you why there isn't a problem.

In that case, can you also put the answer somewhere on contribs.org website? So, everybody can know that there is no need to upgrade apache, gnupg, openssl, proftp, php and some more ...

(May be, nobody is doing security reports)

Its been mentioned in the forums more than once.

[mbachmann]

In that case, can you also put the answer somewhere on contribs.org website?

I did: http://no.longer.valid/phpwiki/index.php/SecurityFAQ#rkunter

[trakker]

Wow, seems I've provoked er pushed/punched a few buttons here....  

note to self: disregard rkhunter vulnerabilities listing.

Trakker

[mdo]

You could also change /etc/cron.daily/rkhunter (or it's template) and add "skip-application-check".

my $command='/usr/local/bin/rkhunter --skip-application-check --cronjob'.(FULL_REPORT?'':' --quiet');

Regards,
Michael

[CharlieBrady]

rkhunter is such a load of #$&%#$!!  All it does is scan your system for packages and compares it to a list of version numbers.  If it doesn't match the latest version then it says you are vulnerable.

What it shoul really be called is "checkforlatestversion".  That is all it really does.

No, that's not all it does. It also searches for real evidence that a system has been compromised, looking for various telltale signs, such as known cracking tools, and hidden temporary directories. So it's not as bad as you think it is, and not as good as others would make out.

[alexsmithmcp]

but this is indeed what catches alot of people. i belive it is because redhat/fedora backport there patches to older versions of software and dont change the version numbers. if your worryed about security of packages best thing you could do is join one of the security mailing lists for the distro your using