I’m configuring rkhunter on a new Debian Lenny setup for production. The rkhunter that comes with apt in Lenny complains about Exim, proftpd, openssl, gpg and openssh being ‘out of date, and possibly a security risk’ . I assume it’s partly because Lenny has been around for a while now, and packages aren’t shiny new versions, but I do trust the Debian security team so I’m whitelisting the apps in question for now. The issue has already been discussed at bugs.debian.org .