On Wed, 22 Sep 2010 12:08:32 -0500 George Kasica <george_kas...@mgic.com> wrote: > Edwin: > > I've been around the 'net quite some time (1983), please excuse me if I'm > expecting too much. > > I think releasing the clamav item before there were bzip2 libraries out > there to compile against for major distros (Fedora Core 13, RHEL4 and > RHEL5 are not small install bases) and many if not most run the RPM builds > (not tar.gz compiles) in a business setting for control in a large > environment was probably not a great idea - though I understand you can't > control the distro vendors I do know you can work with them on security > issues, its done by other vendors all the time and they can get RPMs out > quickly in cases like this.
We released ClamAV 0.96.3 ~8 hours after the new version of bzip2 was published on http://www.bzip.org/ and which disclosed the integer overflow bug at the same time. The aim of this release was to fix the INTERNAL bzip2 library shipped with our package (it's a modified version used by the NSIS unpacker - we can't rely on the system library in this case). We also added a check to INFORM YOU, whether or not your system's own bzip2 library (which ClamAV uses to process .bz2 files) is affected. If you decided to type "make" after running configure, the final build was still dynamically linked against it and you could upgrade this library later. There was no point in waiting for the distros to provide new packages for bzip2. -- oo ..... Tomasz Kojm <tk...@clamav.net> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Sep 22 20:09:50 CEST 2010 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
