[VUA 3-1] Updated clamav packages fixes potential DoS

To: debian-volatile-announce@lists.debian.org
Subject: [VUA 3-1] Updated clamav packages fixes potential DoS
From: Andreas Barth <aba@not.so.argh.org>
Date: Wed, 6 Jul 2005 08:50:15 +0200
Message-id: <[🔎] 20050706065015.GC5540@mails.so.argh.org>
Mail-followup-to: Andreas Barth <aba@not.so.argh.org>, debian-volatile-announce@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 3-1      http://volatile.debian.net
debian-volatile@lists.debian.org                              Andreas Barth
July  6th, 2005
- ---------------------------------------------------------------------------


Package              : clamav
Version              : 0.86.1-0volatile2
Importance           : high
CVE IDs              : CAN-2005-1922, CAN-2005-1923, CAN-2005-2056, CAN-2005-2070

The virus patterns available on clamav.net have started to use newer
patterns.  Older scanners will not recognize viruses described by
the newer patterns.

Additionally, some security flaws were found:
CAN-2005-1922: libclamav/scanners.c: fix potential remote DoS
CAN-2005-1923: libclamav/mspack/cabd.c: fix possible infinite loop
CAN-2005-2056: libclamav/mspack/qtmd.c: fix possible crash
CAN-2005-2070: potential DoS to the sendmail interface in clamav-milter
<unassigned> : libclamav/cvd.c: fix potential directory traversal in cvd
               unpacker
<unassigned> : libclamav/message.c: fix potential crash with more than one
               content-disposition type line

For sarge, an updated clamav package is available in sarge/volatile
as version 0.86.1-0volatile2.



Upgrade Instructions
- --------------------

You can get the updated packages at

http://volatile.debian.net/debian-volatile/pool/volatile/main/c/clamav/
 
and install them with dpkg, or add

 deb http://volatile.debian.net/debian-volatile sarge/volatile main
 deb-src http://volatile.debian.net/debian-volatile sarge/volatile main

to your /etc/apt/sources.list. You can also use any of our mirrors.
Please see http://volatile.debian.net/mirrors.html for the full list
of mirrors.  The archive signing key can be downloaded from
http://volatile.debian.net/ziyi-2005.asc

For further information about debian-volatile, please refer to
http://volatile.debian.net/.

If there are any issues, please don't hesitate to get in touch with the
volatile team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCy38nmdOZoew2oYURAuDLAKCcP8ku8yfOBtn7rUY1G6j1ciQHOwCggaBd
HoTp3qNWythJahHQOiP2vP0=
=xzis
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [VUA 2-1] Updated clamav-data package contains current patterns
Next by Date: [VUA 2-2] Automatically updated clamav-data packages contain current patterns - Process Update
Previous by thread: [VUA 2-1] Updated clamav-data package contains current patterns
Next by thread: [VUA 2-2] Automatically updated clamav-data packages contain current patterns - Process Update
Index(es):
- Date
- Thread