Wendy Download the bzip2 security release and compile. I have to go back to my office to check what compile settings are necessary as the dedault make file is nor good enough.
Tom On Sep 22, 2010, at 11:59 AM, Wendy J Bossons wrote: > I am running clamav on my dev laptop which is Snow Leopard, running FreeBSD. > The bzip2 warning if I don't have to worry about it -- that's fine. But if I > wanted to fix the issue, I don't think it's obvious how to go about it. I > would rather ran the software without the warning -- warnings are there to > put up flags to the developer. I am not doing my job if I ignore it, nor if I > have to jump through all kinds of hoops otherwise -- it's a time burner. > > > Wendy Bossons > Web Developer > MIT Libraries > Technology Research & Development > Building E25-131 > 77 Massachusetts Ave. > Cambridge, MA 02141-4307 > Phone 617-253-0770 > Fax 617-253-4462 > wboss...@mit.edu<mailto:wboss...@mit.edu> > http://libraries.mit.edu > > > On Sep 22, 2010, at 11:48 AM, Tomasz Kojm wrote: > > On Wed, 22 Sep 2010 10:14:57 -0500 George Kasica > <george_kas...@mgic.com<mailto:george_kas...@mgic.com>> wrote: > > Tomaz: > > Typical issues as in the past...first no clue it was coming out(no > release candidate no announcement)...it just appeared, no idea it would > have issues with bzip2, > > 0.96.3 is a security release, which fixes an integer overflow in the > bzip2 library (we use a modified version of this lib in the NSIS > unpacker). It also detects whether or not your local libbz2 (which we > use to handle .bz2 files) is affected by this problem and prints a > warning if needed. > > and STILL no fix to bzip2 RPMs for the Fedora Core 13 platform > > Well, we have no control over those RPMs.. > > (we had to compile from a tar.gz for the others) except > RHEL4/5 that have RPMs out (AFTER 0.96.3 released), > > So you did the right job. Your bzip2 lib can no longer be exploited. > > the ULIMIT issue > that I still don't fully grasp here and am still not clear if its > something we need to deal with....things seem to run so for now we > haven't gone in and touched it(again, this wasn't an issue in 0.96.2 why > is it an issue in 0.96.3 which appears to be a minor release 0.0.1) > > This issue was recently described on the ml. The warning can be safely > ignored on Linux. > > In our environment we have certain time-frames where we need to apply > code once its released depending on what and why it was put out so we > don't always have the luxury to let it sit for days...getting code that > is not labeled as RC and is supposedly prod quality and ready to go and > having these issues is not good...we've spend a good portion of the week > on this so far and seem to be finally OK, but it could have been much > smoother (again)....brings me back to the point of why are we running > these 4 test harness boxes for Torok if no-one is looking at what is > coming back from them. > > Thanks for your support. The 0.96.3 was tested on your boxes and > confirmed to work fine before we released it. Since the tests are fully > automated, we missed the ULIMIT warning issue but as I wrote above, it > can just be ignored. > > Cheers, > > -- > oo ..... Tomasz Kojm <tk...@clamav.net<mailto:tk...@clamav.net>> > (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg > \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B > //\ /\ Wed Sep 22 17:38:15 CEST 2010 > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
