[VUA 32-1] Updated clamav package fixes security flaw

To: debian-volatile-announce@lists.debian.org
Subject: [VUA 32-1] Updated clamav package fixes security flaw
From: Andreas Barth <aba@not.so.argh.org>
Date: Fri, 1 Jun 2007 14:43:15 +0200
Message-id: <20070601124315.GK5805@mails.so.argh.org>
Mail-followup-to: debian-volatile@lists.debian.org, debian-volatile-announce@lists.debian.org
Reply-to: debian-volatile@lists.debian.org

---------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 32-1     http://volatile.debian.org
debian-volatile@lists.debian.org                              Andreas Barth
June 01st, 2007
---------------------------------------------------------------------------

Package              : clamav
Version              : 0.90.3-0volatile1 and 0.90.3-1~volatile1
Importance           : high
CVE IDs              : CVE-2007-2650
                       3 further CVE IDs not yet assigned

The following security flaws were found and fixed in clamav:

[CVE-2007-2650]: libclamav/ole2_extract.c: detect block list loop
[CVE-2007-XXXX]: libclamav/unsp.c: fix end of buffer calculation
[CVE-2007-XXXX]: libclamav/unrar/unrar.c: heap corruption causing DoS with
                 corrupted rar archive, better handle truncated files
[CVE-2007-XXXX]: libclamav/others.c: tighten permissions on unpacked files


For sarge, an updated clamav package is available in sarge/volatile
as version 0.90.3-0volatile1. 

For etch, an updated clamav package is available in etch/volatile 
as version 0.90.3-1~volatile1.

We recommend that you update your system.

This advisory was sent out without builds for alpha, m68k, mips, mipsel
and sparc architectures being available. They will be released as soon
as they are available.


Upgrade Instructions
--------------------

You can get the updated packages at

http://volatile.debian.org/debian-volatile/pool/volatile/main/c/clamav

and install them with dpkg, or add for sarge

 deb http://volatile.debian.org/debian-volatile sarge/volatile main
 deb-src http://volatile.debian.org/debian-volatile sarge/volatile main

or for etch

 deb http://volatile.debian.org/debian-volatile etch/volatile main
 deb-src http://volatile.debian.org/debian-volatile etch/volatile main

to your /etc/apt/sources.list. You can also use any of our mirrors.  See
http://www.debian.org/volatile/volatile-mirrors for the full list of
mirrors.  The archive signing keys can be downloaded from
http://volatile.debian.org/ziyi-sarge.asc and
http://volatile.debian.org/ziyi-etch.asc

For further information about debian-volatile, please refer to
http://volatile.debian.org/ and http://www.debian.org/volatile/.

If there are any issues, please don't hesitate to get in touch with the
volatile team.

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: debian-volatile: Service Update
Next by Date: [VUA 33-1] Updated clamav package fixes security flaw
Previous by thread: debian-volatile: Service Update
Next by thread: [VUA 33-1] Updated clamav package fixes security flaw
Index(es):
- Date
- Thread