Are we[tm] affected? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6419 libmspack is apparently not a dependency, but also some Ubuntu-Versions use an embedded one.
Hello? What's the reason this not being reacted upon?
I work with the ClamAV folks. I'll investigate with the team in the morning.
Any progress?
Confirmed and added to vuxml.
A commit references this bug: Author: feld Date: Sat Sep 2 16:43:50 UTC 2017 New revision: 449153 URL: https://svnweb.freebsd.org/changeset/ports/449153 Log: Document clamav vulnerability PR: 221608 Security: CVE-2017-6419 Changes: head/security/vuxml/vuln.xml
Actually no, I'm looking at the wrong source. 0.99.3 isn't released yet. This doesn't affect us.