Date: Sun, 16 Jul 2017 14:50:46 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 220765] [MAINTAINER] security/rkhunter: Update to 1.4.4 Message-ID: <bug-220765-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220765 Bug ID: 220765 Summary: [MAINTAINER] security/rkhunter: Update to 1.4.4 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: lukasz@wasikowski.net Created attachment 184397 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D184397&action= =3Dedit svn diff updating rkhunter to 1.4.4 Update rkhunter to the latest version. CHANGELOG: * 1.4.4 (29/06/2017) New: - Added the GLOBSTAR configuration file option. This will set the shells globstar option to allow recursive checks of directories. By default this option is disabled. - Added a Japanese translation file. - Added support for the 'BSDng' package manager option. This can be used by those *BSD systems which have the 'pkg' command available (currently later FreeBSD systems). - The BSD package manager will now try the 'pkg_info' command '-W' option if the '-F' option fails. - Added the LOCKDIR configuration option. It is now possible to specify the directory rkhunter will use to store the lock file (if USE_LOCKING has been set). The default is unset, and this will cause rkhunter to look for a directory to use. Details are in the configuration file. - Added the ALLOWIPCPROC configuration file option. This can be used to whitelist suspicious processes using shared memory segments (found during the 'ipc_shared_mem' check). Changes: - The DISABLE_UNHIDE option has been removed from the configuration file. It is no longer required as disabling the 'hidden_procs' or 'hidden_ports' tests has the same effect. - The installer now installs directories and executable files with mode 700, other files are set as mode 600. The man page is left at mode 644. The documentation directory is mode 755, and the files within it are mode 644. The 'rkhunter' program itself will set the mode of copied files to 600 (for example log files, and the passwd/group files). - By default the 'apps' test is now disabled in the configuration file. - The default hash function for the file properties test, given by the HASH_CMD option in the configuration file, has now changed to SHA256. It was previously SHA1, or MD5 if SHA1 was not found. - Previously the lock file (if locking was used) was just an empty file. It now contains the PID of the running process. - The 'system_configs' test name has now been changed into a test group consisting of the two tests 'system_configs_ssh' and 'system_configs_syslog'. Each test may now be enabled or disabled individually. - The 'other_malware' test name has been removed, and replaced by the 'login_backdoors', 'sniffer_logs', 'tripwire', 'susp_dirs' and 'ipc_shared_mem' test names. These are now all part of the 'malware' test group. Bugfixes: - Ensure that 'lsof' errors are not displayed. - Ensure that 'ipcs' errors and the locale are handled correctly. - Correct broken pipe errors in some commands. - For Solaris users set the 'awk' command very early on so that option processing works correctly. - The ALLOWPROCDELFILE option was not handling multiple pathnames or wildcards correctly. It was also not handling the option pathnames correctly. - The SCANROOTKITMODE configuration option was never actually read as a configuration option. - The '--config-check'/'-C' option could produce incorrect error messages in certain circumstances. - Setting the ALLOW_SSH_PROT_V1 option to '2' could cause warning messages when SSH protocol 1 was allowed. - Allow Linux 'grep' to work correctly with binary (i18n) files. - Multiple UID0_ACCOUNTS and PWDLESS_ACCOUNTS options were not being handled correctly. - Uppercase test names were not being handled correctly. - Changed the 'logger' command tag from 'Rootkit Hunter' to 'rkhunter' to avoid problems with spaces. - Ensure that 'fdescfs' filesystems are correctly detected. - To try and avoid colour escape sequences being logged, both of the variables CLICOLOR and CLICOLOR_FORCE are unset for *BSD and SunOS systems. - The 'startup_malware' and 'possible_rkt_strings' checks will now check systemd startup scripts if they are located in the=20 '/etc/systemd/system' directory. - The 'sockstat' command output on BSD systems can become corrupted if a username is very long. This is now detected, and processed correctly. - The 'shared_libs' test now recognises comments in the preload file. - The ALLOWPROMISCIF configuration option was not handling multiple occurrences correctly. This has now been corrected. - Tighten up the input verification check on the mirror file to ensure that only URL's are used as a mirror. (CVE-2017-7480) - The BSD package manager seemed to be needlessly stripping out parts of package names on NetBSD systems. It no longer does this. - In certain cases it was possible for certain tests to not display any output. This has now been corrected. - The installer did not always add the 'rkhunter.d' directory, if it existed, to the main configuration file for monitoring. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-220765-13>