I saw this CVE for ClamAV with a remote buffer overflow and got to wondering about how often ClamAV is updated in Zimbra (and any other package that has an outstanding security vulnerability).

http://www.cve.mitre.org/cgi-bin/cve...=CVE-2006-5874

and there are a few others.

I noticed that Zimbra is still using 0.88.4

Anybody care to address this? Should I be concerned?

I'm thinking there ought to be Zimbra micro-patches. I'm certain I can recompile ClamAV without affecting the rest of Zimbra, but it would be nice if there was an 'official' way to do this without a full-blown upgrade.