Hi, I'm just trying to compile the latest version of ClamAV (0.96.3) and the configure script checks for the presence of a vulnerability (CVE-2010-0405) in the bzip2 library. The check they use seems to indicate that my SLES 10 SP3 mail servers are in some way vulnerable because it ends up in an infinite loop consuming 100% CPU. The configure script works fine on my machines that run debian lenny, where the bzip2 packages received a recent security update to fix this problem. More info here: Debian security update: http://security-tracker.debian.org/tracker/CVE-2010-0405 Discussion of the vulnerability: http://xorl.wordpress.com/2010/09/21/cve-2010-0405-bzip2-integer-overflow/ Does anybody know if Novell consider this a vulnerability and are they planning on releasing an update to bzip2 to fix it? I'd rather stick with the official published RPM versions of the bzip2 libraries and not have to replace them manually. Thanks, Andy Spiers -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org