Paul Bijnens wrote: > On 2008-09-05 17:11, SM wrote: > >> At 01:11 05-09-2008, Tilman Schmidt wrote: >> >>> But even a manual "yum update" finds nothing to update. I cannot >>> imagine Redhat/CentOS neglecting to provide a patch for that >>> >> Why not? :-) >> >> The response was that "this issue can only result in a crash of the >> bunzip2 process, which we do not consider to have any security impact." >> >> >>> vulnerability, so I am probably doing something wrong. But what? >>> >> You are not doing anything wrong. Get a newer version of bzip2. >> > > > I believe the situation is this: > > Apparently Redhat believes it is not a security bug: > > https://bugzilla.redhat.com/show_bug.cgi?id=438118#c6 > > The crashing of bzip2 itself is not a security bug. But clamav > (which is NOT included in the package list by RedHat) uses bzip2 > to unpack an archive and assert no harmful content is inside. > Clamav cannot verify such an archive in this case. This could be > used by a virusmaker to bypass the virusscanner on the mailserver. > > There exist updated bzip2 packages for FC7 and FC8. > > When some Real Paying Customer for Redhat Enterprise logs a bug, and > convinces them it *is* a security bug, then the machinery for > backporting the fix will be started, I guess, resulting in a fixed > bzip2 for the RHEL series (or is this wishful thinking?). > > > Rhetorical question: Why does it have to be a _security_ bug in order for redhat to fix it?
-- Roberto Ullfig - [EMAIL PROTECTED] _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
