rkhunter cannot detect minor (gentoo specific?) revision numbers when comparing known good/bad versions against programs_bad.dat and programs_good.dat. The best example I have is openssl-0.9.7e-r2 which rkhunter sees as vulnerable. (presumably due to GLSA 200510-11) Unpatched 0.9.7e *is* vulnerable, but r2 applies the CAN-2005-2969 patch and so it should not be. Reproducible: Always Steps to Reproduce: 1. rkhunter -c 2. 3. Actual Results: rkhunter reports openssl-0.9.7e as vulnerable (which is correct) but the installed version should not be vulnerable due to ebuild applied patches. Expected Results: It is probably not possible for rkhunter to know what patches are applied to these minor revisions, so the results can be misleading for Gentoo systems. There should be some note of this somewhere. Portage 2.0.51.22-r3 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r1, 2.6.10-hardened-r3 i686) ================================================================= System uname: 2.6.10-hardened-r3 i686 Intel(R) Pentium(R) 4 CPU 2.60GHz Gentoo Base System version 1.6.13 dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo/ ftp://gentoo.chem.wisc.edu/gentoo/" LANG="en_US.UTF-8" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X aac aalib alsa anthy apache2 apm arts avi bash-completion berkdb bitmap-fonts browserplugin cdr cjk crypt cups curl dba eds emboss encode esd fam ffmpeg flac foomaticdb fortran gcj gd gdbm gif gnome gnutls gpm gstreamer gtk gtk2 imagemagick imap imlib immqt innodb ipv6 java jit jpeg junit kde libg++ libwww live mad mikmod motif mozilla mp3 mpeg mpeg2 mpeg4 mysql ncurses nls ogg oggvorbis opengl oss pam pdflib pear-db perl php png python qt quicktime readline samba sdl session slang spell sqlite ssl stream svga tcltk tcpd tiff truetype truetype-fonts type1-fonts unicode vorbis wxwindows xine xml xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS
Running this test myself shows that rkhunter does not see it as vulnerable, but in either case this is something that should be taken upstream as it is not something we should be fixing for them, its fundamental to the program itself to keep such databases up to date.