| Summary: | rkhunter false positive for gaskit | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Galen Thurber <galenthurber> |
| Component: | RPM Packages | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | minor | ||
| Priority: | Normal | CC: | geiger.david68210, martynvidler, remco, sysadmin-bugs |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | MGA2TOO has_procedure MGA3-32-OK MGA3-64-OK MGA2-32-OK MGA2-64-OK | ||
| Source RPM: | CVE: | ||
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 8172, 9398 | ||
| Attachments: | rkhunter.log file | ||
|
Description
Galen Thurber
2013-03-10 00:41:28 CET
rkhunter --update rkunter --propudp rkunter -c
David Walser
2013-03-10 00:44:47 CET
CC:
(none) =>
remco
Galen Thurber
2013-03-10 01:34:26 CET
Summary:
rkhunter false positve for gaskit =>
rkhunter false positive for gaskit Hi Galen, thank you for your report. I believe this problem has been fixed in rkhunter-1.3.8-3.1.mga2. @qa: To test this, issue the following three commands: rkhunter --update rkhunter --propupd rkhunter -c With the version of rkhunter in release, the third command will show that the gaskit rootkit was possibly found. With the updated version in updates_testing, this should no longer be the case. Advisory text: ============== Updated rkhunter package eliminates false positive on gaskit rootkit Using rkhunter on a Mageia 2 system, the gaskit rootkit was erroneously detected as it triggered on the presence of the directory /dev/dev which is commonly available on Mageia systems. This updated package eliminates this false positive. References: https://bugs.mageia.org/show_bug.cgi?id=9313 SRPMS: ====== rkhunter-1.3.8-3.1.mga2.src.rpm RPMS: ===== rkhunter-1.3.8-3.1.mga2 Assignee:
remco =>
qa-bugs
Remco Rijnders
2013-06-23 17:26:26 CEST
Blocks:
(none) =>
9398
Remco Rijnders
2013-06-23 18:37:09 CEST
Whiteboard:
(none) =>
MGA3TOO You have this down for testing in MGA3 There is no /dev/dev in either my 32 or 64 mga3? CC:
(none) =>
martynvidler Hi martyn, I'm not sure exactly which package creates this directory. But if you have ever put your machine to hibernate / sleep, I expect this directory to be created. If you don't have it on your machine, perhaps you are not the best test subject for this bug report ;-) I do have this directory on both my Mageia 2 and Cauldron system. As this is the bug with the advisory, I'll make the others depend on this one, and assign the others back to you. Only one bug should be assigned to QA for this update. Blocks:
(none) =>
8172
David Walser
2013-06-23 21:06:46 CEST
Version:
2 =>
3 As this bug had MGA3TOO, I'm assuming this is being in the Mageia 3 update as well. rkhunter-1.4.0-3.1.mga3 should be included in the package list. Thanks luigi! Updated advisory text to cover all 3 problem reports: Advisory text: ============== Updated rkhunter package addresses various issues Using rkhunter on a Mageia 2 or 3 system, the gaskit rootkit was erroneously detected as it triggered on the presence of the directory /dev/dev which is commonly available on Mageia systems. Furthermore, the whitelisting of a file which no longer is present on Mageia 3 systems would prevent rkhunter from starting properly. Other files which should have been whitelisted were missing, resulting in warnings appearing. This update addresses these issues. rkhunter users are advised to install the updated package. References: https://bugs.mageia.org/show_bug.cgi?id=9313 https://bugs.mageia.org/show_bug.cgi?id=9398 https://bugs.mageia.org/show_bug.cgi?id=8172 SRPMS: ====== rkhunter-1.3.8-3.1.mga2.src.rpm rkhunter-1.4.0-3.1.mga3.src.rpm RPMS: ===== rkhunter-1.3.8-3.1.mga2 rkhunter-1.4.0-3.1.mga3 Confirmed that the update fixes all three bugs on x86_64, Mageia 3 I executed rkhunter -c and /etc/cron.daily/rkhunter each time, rkhunter ran and did not report any warnings. Testing complete on Mageia 3 i586. Bug 9313: Did not see any false positive, but with the package in core/release, "rkhunter -c" would just should the error of bug 9398. With the update candidate, the check is performed. Bug 9398: Could reproduce, and the update fixes it. Bug 8172: Could not reproduce with rkhunter-1.4.0-3.mga3 from core/release, so I suppose it was fixed between mga3 alpha3 and the release. If yes it should be removed from the advisory. -- @James Kerr: Thanks for testing on x86_64, I added MGA3-64-OK to the whiteboard for you. CC:
(none) =>
remi Re bug 8172. /etc/cron.daily/rkhunter was reporting that warning before the update. See my comment on that bug. Testing complete on Mageia 2 x86_64 for bug #9313 Whiteboard:
MGA2TOO MGA3-32-OK MGA3-64-OK =>
MGA2TOO MGA3-32-OK MGA3-64-OK MGA2-64-OK Advisory added to svn
claire robinson
2013-06-25 13:14:51 CEST
Whiteboard:
MGA2TOO MGA3-32-OK MGA3-64-OK MGA2-64-OK =>
MGA2TOO has_procedure MGA3-32-OK MGA3-64-OK MGA2-64-OK Created attachment 4167 [details]
rkhunter.log file
Testing complete for rkhunter-1.4.0-3.1.mga3 on Mageia release 3 (Official) for x86_64, for me it's Ok no false positive on check.
rkhunter --update
rkhunter --propupd
rkhunter -cCC:
(none) =>
geiger.david68210 Testing complete on Mageia 2 i586. Validating update. Please commit the advisory (comment 7) and push the update. Keywords:
(none) =>
validated_update http://advisories.mageia.org/MGAA-2013-0036.html Status:
NEW =>
RESOLVED
Nicolas Vigier
2014-05-08 18:06:33 CEST
CC:
boklm =>
(none) |