Bug 230075 - Need to keep package current
Need to keep package current
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: clamav (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Enrico Scholz
Fedora Extras Quality Assurance
: Reopened
: 240531 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-26 10:18 EST by David Highley
Modified: 2008-05-01 11:39 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-26 00:02:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Highley 2007-02-26 10:18:05 EST
Description of problem:
The Clamav package sends out daily E-mails that it is not current.

Version-Release number of selected component (if applicable):
clamav-0.88.7-2.fc6

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Apparently this application monitors for updates and whines if it is not kept
current.
Comment 1 Enrico Scholz 2007-02-26 13:13:47 EST
can you provide more details please? I am running this version for some days and
I never got such an e-mail
Comment 2 David Highley 2007-02-26 13:55:39 EST
From the E-mail to the root user everyday:
 --------------------- clam-update Begin ------------------------

 Last ClamAV update process started at Sun Feb 25 23:13:07 2007

 Last Status:
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.88.7 Recommended version: 0.90
    DON'T PANIC! Read http://www.clamav.net/faq.html
    main.cvd is up to date (version: 42, sigs: 83951, f-level: 10, builder: tkoj
m)
    daily.cvd updated (version: 2654, sigs: 10790, f-level: 13, builder: ccordes
)
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Current functionality level = 10, recommended = 13
    DON'T PANIC! Read http://www.clamav.net/faq.html
    Database updated (94741 signatures) from db.us.clamav.net (IP: 63.166.28.8)

 ---------------------- clam-update End -------------------------
Comment 3 Enrico Scholz 2007-02-26 14:15:16 EST
mmh... I do not have a clue where this is coming from. Who is sending this
message? The string 'clam-update' does not seem to appear in the clamav
(sub)package(s).
Comment 4 David Highley 2007-02-26 14:48:03 EST
Here are the clam rpms that I have install:
[dhighley@douglas ~]$ rpm -qa | grep clam
clamav-0.88.7-2.fc6
clamav-milter-0.88.7-2.fc6
clamav-milter-sysv-0.88.7-2.fc6
clamav-update-0.88.7-2.fc6
clamav-lib-0.88.7-2.fc6
clamav-data-0.88.7-2.fc6

The E-mail seems to be derived from greping the /var/log/freshclam.log file. I
do not find any direct link to this file in the /etc/cron.daily directory but
assume it is part of the log file monitoring process.
Comment 5 Enrico Scholz 2007-02-26 15:07:41 EST
sorry; there seems to be a 3rd party program on your machine which generates
these warnings. I do not see how I can fix this from within the 'clamav' package.
Comment 6 David Highley 2007-02-26 23:36:47 EST
This does not involve any non Fedora core/extras software. The logwatch utility
monitors the log files and the clamav installation put and entry in the
/usr/share/logwatch structure to be monitored. By default the clam virus service
is disabled. Do you have your clamav service enabled and have you configured the
clam configuration files so that it will run? That took me a little while to
figure out. Do you have your clamav configured to check for updates? I do not
use any other software except some multimedia stuff from livna.
Comment 7 Sven van Heel 2007-03-02 08:50:33 EST
I have the same problem.

I use ClamAV together with Amavisd (combined with Postfix), both from Fedora Extras.

The warning appears in the freshclam.log logfile:
--------------------------------------
ClamAV update process started at Fri Mar  2 12:46:57 2007
main.cvd is up to date (version: 42, sigs: 83951, f-level: 10, builder: tkojm)
daily.cvd updated (version: 2696, sigs: 11778, f-level: 13, builder: ccordes)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 10, recommended = 13
DON'T PANIC! Read http://www.clamav.net/faq.html
Database updated (95729 signatures) from db.nl.clamav.net (IP: 62.133.206.90)

and also on-screen when restarting the service:

Stopping clamd.amavisd:                                    [  OK  ]
Starting clamd.amavisd:
LibClamAV Warning: ********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.  ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html ***
LibClamAV Warning: ********************************************************
                                                           [  OK  ]


The freshclam.log logfile is a bit more precise about the problem:
The "Functionality level" is 10 instead of the recommended 13.

From the FAQ mentioned in the error-message:
<------------>
    *  What does WARNING: Current functionality level = 1, required = 2 mean?
          o The functionality level of the database determines which scanner
engine version is required to use all of its signatures. If you don’t upgrade
immediately you will be missing the latest viruses.

    * What does Your ClamAV installation is OUTDATED mean?
          o You’ll get this message whenever a new version of ClamAV is
released. In order to detect all the latest viruses, it’s not enough to keep
your database up to date. You also need to run the latest version of the
scanner. You can download the sources of the latest release from our website.
Upgrade instructions are on the WikiWiki. If you are afraid to break something
while upgrading, use the precompiled packages for your operating
system/distribution. Remember: running the latest stable release also improves
stability.
<------------>

So it seems that there's a newer version available for the ClamAV engine.

Sven
Comment 8 Pete Olson 2007-03-02 18:11:14 EST
There are also a couple of known security issues with versions previous to 0.90.
See http://www.securityfocus.com/bid/22580 and
http://www.securityfocus.com/bid/22581.

Pete
Comment 9 Enrico Scholz 2007-03-02 18:36:57 EST
named CVEs/BIDs should be fixed in 0.88.7-2
Comment 10 Marc Schwartz 2007-03-06 09:52:29 EST
Is there a reason that FE's clamav has not yet been updated to version 0.9?

That is the reason for the outdated messages reported above and which will still
be present with clamav-0.88.7-2.fc6.

It will be three weeks tomorrow since 0.90 was released.

What's the deal? This is the first time in recent memory that there has been
such a long delay.

Comment 11 Enrico Scholz 2007-03-06 10:08:46 EST
In order of precedence:

- it requires changes to configuration files
- it is not API and ABI compatible with clamav-0.88.x
- there are lot of reports about instabilities
Comment 12 Marc Schwartz 2007-03-06 10:40:16 EST
Enrico, prompted by your reply, I did some checking, as I was aware of some of
the issues you raised (ie. config files, CLI args) as a user of ClamAssassin.

>>- it requires changes to configuration files

There appears to be a script here:

http://wiki.clamav.net/Main/UpgradeNotes090

that facilitates end user changes to the config file.  This would not be the
first time such changes are required with a version update of an application.

>>- it is not API and ABI compatible with clamav-0.88.x

Is your plan to coordinate such changes to the apps involved with the upstream
folks and/or Fedora maintainers, or to defer this until F7?

>>- there are lot of reports about instabilities

Some of these seem to be issues pertaining to the failure to properly update
config files as above.

Others, such as memory leaks, etc. seem to be resolved in version 0.90.1, which
is now available.  Any plans here?

Thanks.
Comment 13 Marc Schwartz 2007-03-06 10:45:59 EST
BTW, there are update notes for 0.90.1 here:

  http://wiki.clamav.net/Main/UpgradeNotes0901
Comment 14 Enrico Scholz 2007-03-06 11:20:10 EST
> >>- it requires changes to configuration files
>
> There appears to be a script here:
> 
> http://wiki.clamav.net/Main/UpgradeNotes090

I do not have an idea how to handle this during a nightly 'yum upgrade' operation.
Comment 15 Marc Schwartz 2007-03-06 11:35:58 EST
I am not expert in RPMs unfortunately, but it seems to me that the script can be
run post-install at the time of the update via entries in the spec file.

I would have to defer to others on the details of implementation.

A very brief Google search leads me to:

http://www.rpm.org/max-rpm/s1-rpm-inside-scripts.html#S2-RPM-INSIDE-BUILD-TIME-SCRIPTS

which suggests that a "%post" script directive in the spec file would facilitate
this process.

HTH
Comment 16 John Griffiths 2007-03-10 12:37:13 EST
I appreciate all the work done Enrico, but something, anything, is better than
suspending in time because this is harder than usual. The virus producers don't
stop. Red Hat/Fedora can't afford to stop either.

There is an awk script,
http://wiki.clamav.net/twiki/pub/Main/UpgradeNotes090/updateclamconf , that
converts .8 conf files to .9, which could be made part of the clamav package and
run as part of the post-install rpm section. A test could be made in pre-install
of current version of clamav and if it is .8x, set a flag to run the
post-install config file update script.

Another alternative is you could update and supply a generic conf file for .90
and preserve the original conf in an rpmsave file and disable clamav until the
user updates the conf file like it is when first installed. Put a comment in the
new conf file about the conversion script. 

Just for information, the email to root discussed earlier comes from a package
called logwatch.

Name        : logwatch                     Relocations: (not relocatable)
Version     : 7.3                               Vendor: Red Hat, Inc.
Release     : 7.fc6                         Build Date: Wed 20 Dec 2006 03:33:49
AM EST
Install Date: Tue 02 Jan 2007 03:00:07 PM EST      Build Host:
js20-bc1-9.build.redhat.com
Group       : Applications/System           Source RPM: logwatch-7.3-7.fc6.src.rpm
Size        : 1014100                          License: MIT
Signature   : DSA/SHA1, Tue 02 Jan 2007 10:18:43 AM EST, Key ID b44269d04f2a6fd2
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.logwatch.org/
Summary     : A log file analysis program.
Description :
Logwatch is a customizable, pluggable log-monitoring system.  It will go
through your logs for a given period of time and make a report in the areas
that you wish with the detail that you wish.  Easy to use - works right out
of the package on many systems.

Comment 17 Enrico Scholz 2007-03-10 14:05:22 EST
* virus database is still updated; accordingly
  http://article.gmane.org/gmane.comp.security.virus.clamav.user/25389

  | only 5% of our users are running 0.9x

  Hence, 0.88.7 database should be still updated for some time
  (hopefully until FC6's EOL ;) )

* I really do not see how to update the user configuration files;
  I neither know their exact location, nor can I guarantee that
  e.g. ~foo/.clamscan.conf is writable, nor can I guarantee that
  my chances are not overridden at next 'cfagent' run.

  Breaking an existing clamav installation during a nightly 'yum upgrade'
  is not an option.
Comment 18 John Griffiths 2007-03-11 01:24:39 EST
Context is everything. You left out "I urge everyone to upgrade to 0.90.1 ."
That seems pretty clear. Entire post follows:


Hello Dennis,

> Sidebar - continuing to see freshclam update failures - trussed 
> freshclam and watched it walking through the list of mirrors looking for 
>  data and never finding it. That seems to be a lot of mirrors out of 
> service or busy doing other things. Did I catch them at a bad time? Is 
> there a bad time?

Well our sigmakers are publishing a lot of updates (which is a good
thing) but only 5% of our users are running 0.9x which means no scripted
updates and a lot of traffic for our mirrors. Many of them cannot cope
with the current traffic.

I urge everyone to upgrade to 0.90.1 .

Best regards

-- 
Luca Gibelli (luca _at_ clamav.net) - ClamAV, a GPL anti-virus toolkit 
Comment 19 Enrico Scholz 2007-03-11 06:48:39 EDT
again: I do not know an upgrade path which guarantees a working clamav
installation after a nightly 'yum upgrade'.

Therefore, I will stay at 0.88.7 as long as possible
Comment 20 David Highley 2007-03-11 09:05:43 EDT
Sorry, but sitting on the fence is not an option. Several options were proprosed
of which updating and moving the configuration files to rpmsave seemed the
safest.   I would say that you either need to update the package or pull the
package from the distribution if your not going to maintain it, which I think
would be the wron g choice.
Comment 21 Jonathan Steffan 2007-04-09 02:41:19 EDT
# freshclam
ClamAV update process started at Mon Apr  9 02:32:16 2007
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.88.7 Recommended version: 0.90.1
DON'T PANIC! Read http://www.clamav.net/faq.html
main.cvd is up to date (version: 42, sigs: 83951, f-level: 10, builder: tkojm)
daily.cvd is up to date (version: 3050, sigs: 23289, f-level: 14, builder: ccordes)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 10, recommended = 14
DON'T PANIC! Read http://www.clamav.net/faq.html

We should get this updated soon. I'd be willing to take a look at what could be
done for updates. Is there a reason we can not just backup the existing
config(s) as .rpmsave and call it an update?
Comment 22 John Griffiths 2007-04-09 09:41:57 EDT
I suggested that in comment 16: Enrico seems reluctant to do anything about this.
Comment 23 David Anderson 2007-04-10 12:04:35 EDT
Enrico's decision seems perfectly justifiable. The current Fedora package, 
whilst not the latest, has no known security holes and provides up-to-date 
anti-virus definitions. As such, it is up to Enrico as packager to make a 
decision, and he seems to have made one which is his prerogative. Nothing 
requires packagers to provide the latest version within a few weeks of it 
coming out.
Comment 24 John Griffiths 2007-04-10 12:26:02 EDT
I would agree with one exception; the recommendation of the developers of clamav.

     Well our sigmakers are publishing a lot of updates (which is a good
     thing) but only 5% of our users are running 0.9x which means no scripted
     updates and a lot of traffic for our mirrors. Many of them cannot cope
     with the current traffic.

     I urge everyone to upgrade to 0.90.1 .

We help cause a strain on their servers, and they urge everyone to upgrade.
Comment 25 Marc Schwartz 2007-04-10 12:30:46 EDT
(In reply to comment #23)
> Enrico's decision seems perfectly justifiable. The current Fedora package, 
> whilst not the latest, has no known security holes and provides up-to-date 
> anti-virus definitions. As such, it is up to Enrico as packager to make a 
> decision, and he seems to have made one which is his prerogative. Nothing 
> requires packagers to provide the latest version within a few weeks of it 
> coming out.

That may be true. But given his reasoning and the upstream recommendations to
upgrade, there is an intrinsic conflict here.

If Enrico continues to avoid the burden of dealing with the relatively minor
issues of the upgrade hurdle, then users will move to an alternative source for
the application as I did.

At that point, Enrico's work here, as much as we value his contribution to the
community, becomes irrelevant.

Whether it be for FC6 or F7, he or someone else will need to deal with this if
clamav is to be available as part of Fedora. One way or another, end-users will
have to deal with the incompatibility issues, either via the assistance of the
package maintainer or on their own.

If Enrico is under-informed of the options that are available relative to
incorporating upgrade mechanisms in the RPM, then he can certainly ask for
assistance from those with that expertise. I am not one of them, but as I noted
in a comment above (#15), it only took me a few minutes to identify at least
some possibilities.

This is Fedora after all, not Debian Stable. We do expect to be on the leading
edge and we do expect bumps along the way.
Comment 26 Michael Schwendt 2007-04-10 13:21:29 EDT
> We do expect to be on the leading
> edge and we do expect bumps along the way.

Many of our users do not. Actually they even blame us for each of
those "bumps".
Comment 27 Marc Schwartz 2007-04-10 13:41:30 EDT
Michael, then I would respectfully suggest that those users switch to a Linux
distro with a less aggressive update schedule. As neither Fedora, nor Ubuntu for
that matter, will be for them.

If they want a more stable distro for the desktop or a server, where they can
get support for long periods and where upgrades will be relatively painless,
they need to look elsewhere.

I have been using RH based distros since the late RH 8.0 betas and have never
been under the false impression that the upgrade process would be painless. Less
so with Fedora, which initially had projected and openly stated 2 to 3 major
version upgrades per year.

Fedora is not a ride for the meek...at least not for the foreseeable future.
Comment 28 Marc Schwartz 2007-04-10 14:18:54 EDT
I should note, for the record, and I stand corrected on this point by Jason and
Jima on the FE e-mail list just now, that the latest version of clamav is
present in the F7 Extras repo (presumably to be merged into the main repo at
some point prior to release).

So we will have that available to us as of the next release (for those waiting
for the stable release of F7).

Enrico, I think you could have saved yourself a great deal of anguish here if
you would have announced that here, rather than leave the impression that you
had no plans to upgrade beyond the version in FC6 at present.

Needless to say, users will face the same incompatibility issues at that point,
albeit in conjunction with a major Fedora version upgrade.

I do appreciate your efforts on this, but would point out that communications
are critical to managing the expectations of those who are using your 'product'.
 That goes for a voluntary community as much as in the case of a for-profit
business.
Comment 29 Heiner Westphal 2007-04-11 02:22:30 EDT
(In reply to comment #27)
> Fedora is not a ride for the meek...at least not for the foreseeable future.
But fedora has grown since RH 8.0 (thanx a lot).

  We're using it for software development and need fairly recent versions of the
relevant packages. Thus debian stable is not an option. On the other hand for
ISVs software development is production, which means we cannot afford to find a
broken system in the morning, just because some nightly update did not work.

Enrico, I think most people here did not really get your point (I hope I did):
  Adapting THE configuration for clamav would have taken about half a day max.

  The problem are the USER configurations in their homes, or - worse - anywhere
else.

  Imagine the CTO comes back from a longer journey, three weeks after clamav was
updated, and she wants to check her portable disk. How do you handle her 0.8x
configuration when running the new clamav 0.9x?

  Building a clever wrapper which can cope with different config versions is
more of a challange, than updating one set of configs while doing the update.


So what I read from all above is:
1. 0.8x still works and gets sig updates, though it puts more load on the
   mirrors than necessary.
2. Upgrading the FC6-clamav without breaking existing configs, especially
   USER-configs, is a major hassle (and will only be done, if loads of dollars 
   are involved ;)
3. There is a clamav 0.9x for FC7 in the extras repo.
4. FC7 is not too far away.

Excuse me clamav.net, but I will keep putting that load on your mirrors, until
FC7 gets out. If s.o. really MUST have 0.9x, www.clamav.net has the info how to
compile it yourself.

[ To use external repos may be dangerous. 
I stumled into conflicts last time I tried.
I tried to get something else from an external repo, but got parts of clamav
from there as well, because the version was higher but the packaging was
different. ]
Comment 30 Enrico Scholz 2007-04-11 02:57:41 EDT
Ok, to summarize my points:

I want to prevent that after a nightly 'yum upgrade' all mails since 04:05 will
be bounced due to the changed configuration syntax.

There is no way for me to detect and change the used configuration files (which
might me on a cfengine server or in NFS $HOME directores inaccessibly for root).


A wrapper or (better) forward-porting of the old config parser are options, but
as long as 0.8x works, this has a very low priority for me.
Comment 31 Marcin Garski 2007-04-12 19:20:07 EDT
Houston we have a problem.

I have a file DSC00017.scr which is a file from 991944 submission to ClamAV and
have been added as Trojan.Spambot-397 and Trojan.Downloader-5261.

If I scan this file on Jotti's malware scan and VirusTotal websites it is
properly recognised, but when I scan it with up-to-date (main.cvd 43, daily.cvd
3087) clamav-0.88.7-2.fc6 it gives me "DSC00017.scr: OK".

So either there is something wrong with my ClamAV installation, or this virus
isn't recognised by 0.88.7 version. I could provide this file for testing.
Comment 32 Kevin Kofler 2007-04-13 02:53:32 EDT
http://wiki.clamav.net/Main/UpgradeNotes090

The stability problems are solved in 0.90.1 according to upstream.

As for the config files, IMHO, the RPM should just run updateclamconf on the 
config files in /etc, if someone puts config files for a system-wide daemon or 
a system-wide update tool out of /etc, that's their problem, they're on their 
own for fixing it.
Comment 33 Heiner Westphal 2007-04-16 05:36:49 EDT
Isn't there at least a way to allow for manual upgrade while disallowing
automated upgrade (some alert to wake up unaware mail admins should be provided
though)?

Breaking a virus-checking mail server by automated updates is no good, but
preventing to fix security holes (see e.g. release notes of 0.90.2) is even 
worse.

I'd prefer not to break the dependency chain with amavisd rpms by compiling my
own clamav.

Is there any mechanism in yum-updatesd which allows to restrict an upgrade to
manual?
Comment 34 Felix Schwarz 2007-04-16 06:14:55 EDT
Now the problem got worse as there seem to be security problems with the current
clamav package (see CVE-2007-1745). I guess, this fix will be backported given
the headaches the new configuration causes?
Comment 35 Enrico Scholz 2007-04-16 06:29:31 EDT
0.88.7-2 should not be vulnerable to the issues fixed by 0.90.2.

CHM fd leak does not seem to triggerable by attackers (happens only when an
'fdopen()' fails, and there is a test whether open(2) returns !0 instead of <0).
0.90.x executes other code which might lead to the fd leak.

CAB scanning was disabled by the fix for CVE-2007-0897, and 0.88.7 does not
contain code for PDF scanning overall.

Comment 36 Marie Henri Beyle 2007-05-04 03:40:19 EDT
OK, Enrico will not add updated clamav packages to Fedora Core Repos. 
Is there any *official* Repo that include current packages (current=0.91)? 
Where can I obtain instructions on how can update the compatible Fedora Core
package from sources?
If package maintainer does not add a current version to repos, at least he would
write a document for people that want update compatible packages.
Comment 37 Enrico Scholz 2007-05-18 05:31:14 EDT
*** Bug 240531 has been marked as a duplicate of this bug. ***
Comment 38 Matthew Miller 2007-08-02 21:26:51 EDT
Marie Henri Beyle, others: if you want new packages, upgrade to the newest
Fedora release. F7 has (currently) 0.90.3, and Rawhide (the devel branch) has
0.91.1.

If you can't upgrade your whole system right now, you could rebuild one of those
packages.
Comment 39 Michael H. Warfield 2007-11-16 11:54:39 EST
Current version on ClamAV site is 0.91.2 and may fix some serious security
holes.    ClamAV bugs 608 and 614 are locked and one site is taking bids on
proof of concept code for a remote execution exploit they claim works against
0.91.1.  0.91.2 is almost 3 months old.  Even F7 may be vulnerable.  Please make
this a high severity.
Comment 40 Michael H. Warfield 2007-11-16 12:24:24 EST
(In reply to comment #39)
> Current version on ClamAV site is 0.91.2 and may fix some serious security
> holes.    ClamAV bugs 608 and 614 are locked and one site is taking bids on
> proof of concept code for a remote execution exploit they claim works against
> 0.91.1.  0.91.2 is almost 3 months old.  Even F7 may be vulnerable.  Please make
> this a high severity.

Never mind.  Was looking at an FC6 system I thought had already been upgraded to
F7.  F7 is current.  Should still release for FC6, since it is now a security
problem.
Comment 41 Enrico Scholz 2007-11-17 08:00:04 EST
named bugs should be no issue for clamav-0.88.x. It does not have a PDF scanner
nor the vulnerable blackhole milter-mode.
Comment 42 John Griffiths 2007-12-31 08:49:54 EST
Here we go again in Fedora 8.

--------------------- clam-update Begin ------------------------ 

 
 Last ClamAV update process started at Sun Dec 30 20:02:09 2007
 
 Last Status:
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.91.2 Recommended version: 0.92
    DON'T PANIC! Read http://www.clamav.net/support/faq
    main.inc is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
    Downloading daily-5300.cdiff [100%]
    Downloading daily-5301.cdiff [100%]
    Downloading daily-5302.cdiff [100%]
    Downloading daily-5303.cdiff [100%]
    Downloading daily-5304.cdiff [100%]
    daily.inc updated (version: 5304, sigs: 14622, f-level: 21, builder: ccordes)
    Database updated (184298 signatures) from db.us.clamav.net (IP: 65.110.48.11)
 
 ---------------------- clam-update End ------------------------- 
Comment 43 John Griffiths 2007-12-31 08:57:00 EST
Fedora version needs to be updated to 8.
Comment 44 Michael H. Warfield 2008-01-08 09:08:52 EST
Worse.  There's now a remote code execution exploit against 0.91.2 at Milw0rm.
Comment 45 David Highley 2008-01-26 00:01:42 EST
Resolved now that update 0.92-6 has been released for Fedora 8.

Note You need to log in before you can comment on or make changes to this bug.