ProxyAV buffer overflow in libpng (CVE-2010-1205)
ProxyAV uses a version of libpng that is vulnerable to a buffer overflow attack. This vulnerability could allow a remote attacker to read and modify ProxyAV data.
All versions of ProxyAV prior to 220.127.116.11 are vulnerable
ProxyAV uses libpng version 1.2.8 to generate statistical graphs in PNG format. This version of libpng is vulnerable to a buffer overflow attack. It is possible that a remote attacker could execute arbitrary code on ProxyAV through this library that would run with escalated privileges.
ProxyAV 18.104.22.168 contains an upgrade to libpng version 1.2.46 fixing this CVE.
Deploying ProxyAV behind a firewall and adding constraints on what IP addresses can be used to connect to ProxyAV will greatly limit the ability to attack a ProxyAV installation.
ProxyAV 3.4 - a fix is available in 22.214.171.124. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/4.
ProxyAV 3.3 - a fix is avialable in 126.96.36.199. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/4.
ProxyAV 3.2 and earlier - please upgrade to a later version.
CVE-2010-1205 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1205
2012-12-10 Notification of fix for 3.3
2011-12-02 Initial public release