Upstream [1] says: "An update has been issued on August 29,2006 to solve this vulnerability. " i couldn't find the fixed version number. Andrej, please can you bump a fixed version? thanks. http://www.bitdefender.com/KB323-en--cevakrnl.xmd-vulnerability.html
I wonder why haven't I noticed this before. Quoting the URL above: "An update has been issued on August 29,2006 to solve this vulnerability. The update has been delivered immediately to all BitDefender users through regular automatic update mechanism, so no user action is required." Thus, there's no need for a version bump, as this has been fixed for every user who regularly updates via "bdc --update", as cevakrnl.xmd file is one of those being updated this way. I will be adding 7.1 later today, just after I figure out what to do with a file collision that happens with this version. It's up to you guys if you want to close this bug by having 7.1 added (since cevakrnl.xmd shipped with it is fixed).
Just an update - I haven't found a good way to handle collision-protect for 7.1. It is in the tree, but masked. Perhaps someone can help me out here? To reproduce the issue at hand, merge 7.0.1-r1, issue "bdc --update" and merge 7.1 (after unmasking it) with FEATURES="collision-protect"
Adding herd to get some response.
Antivirus team, please advise or we will have to take some nasty decision like a temporary masking GLSA or so :( Thanks in advance.
I'm afraid I'm the only one regularly active on antivirus team, and I'm out of ideas how to handle bitdefender-console update without file collisions. 7.1 is in the tree, package.masked. To reproduce the trouble I'm having, merge 7.0.1-r1, update malware database with "bdc --update", and update to 7.1 with FEATURES="collision-protect". BTW, I repeat that anyone who does "bdc --update" with 7.0.1 (or earlier) gets updated and non-vulnerable cevakrnl.xmd file.
> BTW, I repeat that anyone who does "bdc --update" with 7.0.1 (or earlier) gets > updated and non-vulnerable cevakrnl.xmd file. Thanks for all your answers Ticho. Unfortunately i can't help you on the collision issue. Perhaps we could emit a GLSA telling to do a "bdc --update", but i really hope that our bitdefender-console users have already done that at least once since august. So i propose to close that bug as invalid. Security team, please comment. (I'll close the bug as invalid within 7 days without any anwser.)
obsolete and invalid (considering the Gentoo Security scope, not anti-virus scope) as said earlier. Feel free to reopen if you disagree.
Just for reference, 7.1 is now unmasked in the tree, after working around the collision issue.