[VUA 24-1] Updated clamav package

To: debian-volatile-announce@lists.debian.org
Subject: [VUA 24-1] Updated clamav package
From: Andreas Barth <aba@not.so.argh.org>
Date: Tue, 12 Dec 2006 22:43:26 +0100
Message-id: <[🔎] 20061212214326.GU2560@mails.so.argh.org>
Mail-followup-to: Andreas Barth <aba@not.so.argh.org>, debian-volatile-announce@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 24-1     http://volatile.debian.net
debian-volatile@lists.debian.org                   	       Stephen Gran
December 12th, 2006				 Felipe Augusto van de Wiel 
- ---------------------------------------------------------------------------

Package              : clamav
Version              : 0.88.7-0volatile1
Importance           : high
CVE IDs              : CVE-2006-6406
                       [ not know yet] 

The following security flaws were found and fixed in clamav:

CVE-2006-6406:

    A vulnerabilty has been discovered in clamav's MIME parser that can allow
    a carefully crafted message to bypass scanning.


[ not know yet ]:

    A vulnerability has been discovered in clamav's routines for examining
    nested multipart MIME sections that could be exploited to lead to a Denial
    of service attack.


For sarge, an updated clamav package is available in sarge/volatile
as version 0.88.7-0volatile1. We recommend that you update your system.


This advisory was sent out without builds for arm, m68k, mips, mipsel
and s390 architectures being available. They will be released as soon
as they are available.

Bugfixes from upstream
- ----------------------
    - libclamav/message.c: handle consecutive errors in base64 decoding
      [CVE-2006-6406]
    - libclamav/mbox.c: honour recursion limit when scanning email messages
    - clamscan: new option --mail-max-recursion
    - clamd/clamav-milter: new option MailMaxRecursion [CVE not know yet]
    - libclamav/untar.c: honour archive limits
    - freshclam: apply timeout patch
      (new options: ConnectTimeout and ReceiveTimeout)
    - clamd: change stack size at the right place
    - libclamav/petite.c: sanity check the number of rebuilt sections
      (speeds up handling of malformed files)


Upgrade Instructions
- --------------------

You can get the updated packages at

http://volatile.debian.net/debian-volatile/pool/volatile/main/c/clamav/

and install them with dpkg, or add

 deb http://volatile.debian.net/debian-volatile sarge/volatile main
 deb-src http://volatile.debian.net/debian-volatile sarge/volatile main

to your /etc/apt/sources.list. You can also use any of our mirrors.
 see http://www.debian.org/devel/debian-volatile/volatile-mirrors for
the full list of mirrors.  The archive signing key can be downloaded from
http://volatile.debian.net/ziyi-sarge.asc

For further information about debian-volatile, please refer to
http://volatile.debian.net/ and http://www.debian.org/devel/debian-volatile/.

If there are any issues, please don't hesitate to get in touch with the
volatile team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFfyJ+mdOZoew2oYURAluHAJ0eBXVcgjFkgXJL8OErMQIDBmKOFgCbByJc
CqERfww38am0cpLG9lybiow=
=59qR
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [VUA 23-1] Updated clamav package
Previous by thread: [VUA 23-1] Updated clamav package
Index(es):
- Date
- Thread