diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3913ca9b..38f2e253 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -56,7 +56,7 @@ The **patch** part changes incrementally at each release.
 * bind: change name of logrotate file to bind9
 * certbot: commit hook must be executed at the end
 * elasticsearch: listen on local interface only by default
-* evocheck: upstream version 20.04.1
+* evocheck: upstream version 20.04.2
 * evocheck: cron jobs execute in verbose
 * evolinux-base: use "evolinux_internal_group" for SSH authentication
 * evolinux-base: Don't customize the logcheck recipient by default.
diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh
index 62473773..88bb2f29 100644
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@@ -4,6 +4,8 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix
 
+readonly VERSION="20.04.2"
+
 # base functions
 
 show_version() {
@@ -1239,6 +1241,29 @@ check_apt_valid_until() {
     fi
 }
 
+check_chrooted_binary_not_uptodate() {
+    # list of processes to check
+    process_list="sshd"
+    for process_name in ${process_list}; do
+        # what is the binary path?
+        original_bin=$(command -v "${process_name}")
+        for pid in $(pgrep ${process_name}); do
+            process_bin=$(realpath /proc/${pid}/exe)
+            # Is the process chrooted?
+            real_root=$(realpath /proc/${pid}/root)
+            if [ "${real_root}" != "/" ]; then
+                chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ')
+                original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ')
+                # compare md5 checksums
+                if [ "$original_md5" != "$chrooted_md5" ]; then
+                    failed "IS_CHROOTED_BINARY_NOT_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}."
+                    test "${VERBOSE}" = 1 || break
+                fi
+            fi
+        done
+    done
+}
+
 main() {
     # Default return code : 0 = no error
     RC=0
@@ -1363,6 +1388,7 @@ main() {
         test "${IS_OSPROBER:=1}" = 1 && check_osprober
         test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports
         test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
+        test "${IS_CHROOTED_BINARY_NOT_UPTODATE:=1}" = 1 && check_chrooted_binary_not_uptodate
     fi
 
     #-----------------------------------------------------------
@@ -1475,8 +1501,6 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")")
 # shellcheck disable=2124
 readonly ARGS=$@
 
-readonly VERSION="20.04.1"
-
 # Disable LANG*
 export LANG=C
 export LANGUAGE=C