On 2008-09-05 17:11, SM wrote: > At 01:11 05-09-2008, Tilman Schmidt wrote: >> But even a manual "yum update" finds nothing to update. I cannot >> imagine Redhat/CentOS neglecting to provide a patch for that > > Why not? :-) > > The response was that "this issue can only result in a crash of the > bunzip2 process, which we do not consider to have any security impact." > >> vulnerability, so I am probably doing something wrong. But what? > > You are not doing anything wrong. Get a newer version of bzip2.
I believe the situation is this: Apparently Redhat believes it is not a security bug: https://bugzilla.redhat.com/show_bug.cgi?id=438118#c6 The crashing of bzip2 itself is not a security bug. But clamav (which is NOT included in the package list by RedHat) uses bzip2 to unpack an archive and assert no harmful content is inside. Clamav cannot verify such an archive in this case. This could be used by a virusmaker to bypass the virusscanner on the mailserver. There exist updated bzip2 packages for FC7 and FC8. When some Real Paying Customer for Redhat Enterprise logs a bug, and convinces them it *is* a security bug, then the machinery for backporting the fix will be started, I guess, resulting in a fixed bzip2 for the RHEL series (or is this wishful thinking?). -- Paul Bijnens, xplanation Technology Services Tel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *********************************************************************** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * *********************************************************************** _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
