Roberto Ullfig wrote: > Paul Bijnens wrote: >> On 2008-09-05 17:11, SM wrote: >> >>> At 01:11 05-09-2008, Tilman Schmidt wrote: >>> >>>> But even a manual "yum update" finds nothing to update. I cannot >>>> imagine Redhat/CentOS neglecting to provide a patch for that >>>> >>> Why not? :-) >>> >>> The response was that "this issue can only result in a crash of the >>> bunzip2 process, which we do not consider to have any security impact." >>> >>> >>>> vulnerability, so I am probably doing something wrong. But what? >>>> >>> You are not doing anything wrong. Get a newer version of bzip2. >>> >> >> I believe the situation is this: >> >> Apparently Redhat believes it is not a security bug: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=438118#c6 >> >> The crashing of bzip2 itself is not a security bug. But clamav >> (which is NOT included in the package list by RedHat) uses bzip2 >> to unpack an archive and assert no harmful content is inside. >> Clamav cannot verify such an archive in this case. This could be >> used by a virusmaker to bypass the virusscanner on the mailserver. >> >> There exist updated bzip2 packages for FC7 and FC8. >> >> When some Real Paying Customer for Redhat Enterprise logs a bug, and >> convinces them it *is* a security bug, then the machinery for >> backporting the fix will be started, I guess, resulting in a fixed >> bzip2 for the RHEL series (or is this wishful thinking?). >> >> >> > Rhetorical question: Why does it have to be a _security_ bug in order > for redhat to fix it? >
I wanted to ask for those of you using CentOS and ClamAv-0.94 if you've had any issues with bunzip2 process crashing or experiencing any issues with ClamAV on these systems running the earlier version of bunzip2? _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
