On Wed, 22 Sep 2010 11:59:48 -0400 Wendy J Bossons <wboss...@mit.edu> wrote:
> I am running clamav on my dev laptop which is Snow Leopard, running > FreeBSD. The bzip2 warning if I don't have to worry about it -- > that's fine. You don't have to worry about the ulimit warning. You do have to worry about the bzip2 warning: if you scan a file that exploits CVE-2010-0405 then your clamd/clamscan will crash if you did not upgrade your system's bzip2 library (look for an update from your OS vendor). This happens of course if you don't upgrade ClamAV as well: then you are vulnerable to both an exploit via a .bz2 file, and an nsis file. The only way to avoid being vulnerable is to upgrade both ClamAV and libbz2. > But if I wanted to fix the issue, I don't think it's > obvious how to go about it. I would rather ran the software without > the warning -- warnings are there to put up flags to the developer. I > am not doing my job if I ignore it, nor if I have to jump through all > kinds of hoops otherwise -- it's a time burner. We could embed a copy of bzip2, and use that if your system one is too old, or if you explicitly request it. Not sure if that would solve more problems than it would create. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
