You are viewing a plain text version of this content. The canonical link for it is here.

Posted to mirrors@apache.org by Brad Koehn <br...@koehn.com> on 2016/01/02 00:21:06 UTC

Infected PDF

ClamAV 0.99 (main.cvd version:55; daily.cld version: 21218; bytecode.cld version: 270) is reporting a virus in one of the httpd files on my mirror:

httpd/docs/apache-docs-1.3.23.pdf.zip: BC.Exploit.CVE_2012_4148 FOUND

This is on http://mirrors.koehn.com/apache/httpd/docs/apache-docs-1.3.23.pdf.zip (on my mirror, which is rsynced from rsync.apache.org::apache-dist, and presumably other mirrors from the same source. I’m not sure how long the exploit has been there, or even if it’s a false positive, but thought I should let you know.

Re: Infected PDF

Posted by Ryan Barclay <ry...@rbftpnetworks.com>.

False positive.

Sent from my iPhone

> On 2 Jan 2016, at 00:12, Lars Eilebrecht <la...@apache.org> wrote:
> 
> Brad Koehn wrote:
>> ClamAV 0.99 (main.cvd version:55; daily.cld version: 21218; bytecode.cld version: 270) is reporting a virus in one of the httpd files on my mirror:
>> 
>> httpd/docs/apache-docs-1.3.23.pdf.zip: BC.Exploit.CVE_2012_4148 FOUND
>> 
>> This is on http://mirrors.koehn.com/apache/httpd/docs/apache-docs-1.3.23.pdf.zip (on my mirror, which is rsynced from rsync.apache.org::apache-dist, and presumably other mirrors from the same source. I’m not sure how long the exploit has been there, or even if it’s a false positive, but thought I should let you know.
> 
> 
> Thank you very much for your message.
> 
> I've double-checked the file (on your mirror and apache.org) and according
> to www.virustotal.com only Clamav (1 out of 55 virus scanners) considers 
> it as infected. Also, the infection  mentioned by Clamav is for a CVE 
> from 2012, but the file itself was last updated in 2009. 
> I'm therefore considering it a false positive. 
> 
> 
> Best regards
> -- 
> Lars Eilebrecht
> lars@apache.org
>

Re: Infected PDF

Posted by Lars Eilebrecht <la...@apache.org>.

Brad Koehn wrote:
> ClamAV 0.99 (main.cvd version:55; daily.cld version: 21218; bytecode.cld version: 270) is reporting a virus in one of the httpd files on my mirror:
> 
> httpd/docs/apache-docs-1.3.23.pdf.zip: BC.Exploit.CVE_2012_4148 FOUND
> 
> This is on http://mirrors.koehn.com/apache/httpd/docs/apache-docs-1.3.23.pdf.zip (on my mirror, which is rsynced from rsync.apache.org::apache-dist, and presumably other mirrors from the same source. I’m not sure how long the exploit has been there, or even if it’s a false positive, but thought I should let you know. 

Thank you very much for your message.

I've double-checked the file (on your mirror and apache.org) and according
to www.virustotal.com only Clamav (1 out of 55 virus scanners) considers 
it as infected. Also, the infection  mentioned by Clamav is for a CVE 
from 2012, but the file itself was last updated in 2009. 
I'm therefore considering it a false positive. 

Best regards
-- 
Lars Eilebrecht
lars@apache.org