[VUA 24-1] Updated clamav package
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ---------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 24-1 http://volatile.debian.net
debian-volatile@lists.debian.org Stephen Gran
December 12th, 2006 Felipe Augusto van de Wiel
- ---------------------------------------------------------------------------
Package : clamav
Version : 0.88.7-0volatile1
Importance : high
CVE IDs : CVE-2006-6406
[ not know yet]
The following security flaws were found and fixed in clamav:
CVE-2006-6406:
A vulnerabilty has been discovered in clamav's MIME parser that can allow
a carefully crafted message to bypass scanning.
[ not know yet ]:
A vulnerability has been discovered in clamav's routines for examining
nested multipart MIME sections that could be exploited to lead to a Denial
of service attack.
For sarge, an updated clamav package is available in sarge/volatile
as version 0.88.7-0volatile1. We recommend that you update your system.
This advisory was sent out without builds for arm, m68k, mips, mipsel
and s390 architectures being available. They will be released as soon
as they are available.
Bugfixes from upstream
- ----------------------
- libclamav/message.c: handle consecutive errors in base64 decoding
[CVE-2006-6406]
- libclamav/mbox.c: honour recursion limit when scanning email messages
- clamscan: new option --mail-max-recursion
- clamd/clamav-milter: new option MailMaxRecursion [CVE not know yet]
- libclamav/untar.c: honour archive limits
- freshclam: apply timeout patch
(new options: ConnectTimeout and ReceiveTimeout)
- clamd: change stack size at the right place
- libclamav/petite.c: sanity check the number of rebuilt sections
(speeds up handling of malformed files)
Upgrade Instructions
- --------------------
You can get the updated packages at
http://volatile.debian.net/debian-volatile/pool/volatile/main/c/clamav/
and install them with dpkg, or add
deb http://volatile.debian.net/debian-volatile sarge/volatile main
deb-src http://volatile.debian.net/debian-volatile sarge/volatile main
to your /etc/apt/sources.list. You can also use any of our mirrors.
see http://www.debian.org/devel/debian-volatile/volatile-mirrors for
the full list of mirrors. The archive signing key can be downloaded from
http://volatile.debian.net/ziyi-sarge.asc
For further information about debian-volatile, please refer to
http://volatile.debian.net/ and http://www.debian.org/devel/debian-volatile/.
If there are any issues, please don't hesitate to get in touch with the
volatile team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFFfyJ+mdOZoew2oYURAluHAJ0eBXVcgjFkgXJL8OErMQIDBmKOFgCbByJc
CqERfww38am0cpLG9lybiow=
=59qR
-----END PGP SIGNATURE-----
Reply to: