A vulnerability was found in ClamAV versions prior to 0.101.3 are susceptible to a zip bomb vulnerability where an unauthenticated attacker can cause a denial of service condition by sending crafted messages to an affected system.
Created clamav tracking bugs for this issue: Affects: epel-all [bug 1770104] Affects: fedora-all [bug 1770103]
I don't quite follow this. Fedora and EPEL7 are already at 0.101.4. And the references above are for bzip2.
External References: https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
(In reply to Dhananjay Arunesh from comment #0) > A vulnerability was found in ClamAV versions prior to 0.101.3 are > susceptible to a zip bomb vulnerability where an unauthenticated attacker > can cause a denial of service condition by sending crafted messages to an > affected system. Even el6 have this security fix [1] , closing as not a bug . [1] https://apps.fedoraproject.org/packages/clamav Rawhide 0.101.4-1.fc32 None Fedora 32 0.101.4-1.fc32 None Fedora 31 0.101.4-1.fc31 None Fedora 30 0.101.4-1.fc30 (update) None Fedora 29 0.101.4-1.fc29 (update) None Fedora EPEL 8 0.101.4-1.el8 None Fedora EPEL 7 0.101.4-1.el7 None Fedora EPEL 6 0.100.3-1.el6 None
Sorry read too fast EL6 have 0.100.3 not 0.101.3