A security issue in rkhunter has been announced (by Michael Scherer!): http://openwall.com/lists/oss-security/2017/06/29/2 IMO, the best fix for this is to disable the automatic downloading rkhunter cron completely. We've seen it before where a package has some poorly implemented and insecure script for automatically downloading something, where it's also most likely unintuitive to person installing the package that it would even be doing something like that to begin with (geoip used to be another example until I finally discovered it and removed its horrible script). In general I think these sorts of things should be disabled by default in packages. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => remco
If this is a security risk, why not with automatic downloading by microcode_ctl via cron every month ???
CC: (none) => dvgevers
(In reply to Dick Gevers from comment #2) > If this is a security risk, why not with automatic downloading by > microcode_ctl via cron every month ??? That very well may be too.
Cron disabled in the Mageia 6 package, but included as documentation.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Upstream has released version 1.4.4 on June 29: http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/CHANGELOG It lists a change related to this: - Tighten up the input verification check on the mirror file to ensure that only URL's are used as a mirror. (CVE-2017-7480) We could consider shipping an update to this version.
This package no longer has a maintainer.
Assignee: remco => pkg-bugs
This package could still use an update, but just disabling the cron job for now. Advisory: ======================== Updated rkhunter package fixes security vulnerability: The rkhunter package has been updated to disable by default an insecure cron job. The script is now included with the package as documentation. See the README.urpmi file for more information. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7480 http://openwall.com/lists/oss-security/2017/06/29/2 ======================== Updated packages in core/updates_testing: ======================== rkhunter-1.4.0-7.1.mga5 from rkhunter-1.4.0-7.1.mga5.src.rpm
Assignee: pkg-bugs => qa-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
MGA5-32 on Dell Latitude D600 Xfce No installation issues at CLI # rkhunter -h Usage: rkhunter {--check | --unlock | --update | --versioncheck | --propupd [{filename | directory | package name},...] | --list [{tests | {lang | languages} | rootkits | perl | propfiles}] | --config-check | --version | --help} [options] Current options are: --append-log Append to the logfile, do not overwrite etc ... # rkhunter -C no feedback supposes config is allright. # rkhunter -c [ Rootkit Hunter version 1.4.0 ] Checking system commands... Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] and loads of None found and OK, except for /usr/sbin/unhide [ Warning ] /usr/sbin/unhide-tcp [ Warning ] /usr/sbin/unhide-linux [ Warning ] that is a dependency package for rkhunter, freshly installed (not in its .dat file) and Checking for hidden files and directories [ Warning ] but that is about /etc/.update which seems OK Good to go.
Whiteboard: (none) => MGA5-32-OKCC: (none) => herman.viaene
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0029.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED