[SECURITY] [DLA 3983-1] clamav security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3983-1] clamav security update
From: Lucas Kanashiro <kanashiro@debian.org>
Date: Fri, 06 Dec 2024 00:21:27 -0300
Message-id: <[🔎] 2f0b02ec01ce02f6f43fd076c41812f6@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3983-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Lucas Kanashiro
December 04, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : clamav
Version        : 1.0.7+dfsg-1~deb11u1
CVE ID         : CVE-2024-20505 CVE-2024-20506
Debian Bug     : #1080962

Two vulnerabilities were found in ClamAV, an antivirus toolkit for Unix.

CVE-2024-20505

    Affected versions could allow an unauthenticated, remote attacker to cause
    a denial of service (DoS) condition on an affected device. The
    vulnerability is due to an out of bounds read. An attacker could exploit
    this vulnerability by submitting a crafted PDF file to be scanned by ClamAV
    on an affected device. An exploit could allow the attacker to terminate the
    scanning process. 

CVE-2024-20506

    Affected versions could allow an authenticated, local attacker to corrupt
    critical system files. The vulnerability is due to allowing the ClamD
    process to write to its log file while privileged without checking if the
    logfile has been replaced with a symbolic link. An attacker could exploit
    this vulnerability if they replace the ClamD log file with a symlink to a
    critical system file and then find a way to restart the ClamD process. An
    exploit could allow the attacker to corrupt a critical system file by
    appending ClamD log messages after restart.

ClamAV was updated to version 1.0.7+dfsg-1~deb10u1. Due to the library soname
bump, the reverse dependencies of libclamav9 were rebuilt against libclamav11.
The following source packages were updated:

- - c-icap-modules/1:0.5.4-2+deb11u1
- - cyrus-imapd/3.2.6-2+deb11u3
- - havp/0.93-2+deb11u1
- - pg-snakeoil/1.3-2+deb11u1
- - libclamunrar/1.0.3-1~deb11u1

For Debian 11 bullseye, these problems have been fixed in version
1.0.7+dfsg-1~deb11u1.

We recommend that you upgrade your clamav packages.

For the detailed security status of clamav please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/clamav

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAmdRBUoACgkQ+COicpiD
yXyYpw//WIbHJNhglJdtvwPAY+1Zm9sTGL+tpjFOIlYFshOZkeMLEEaxbEMPjfVD
/hnuyQyYQYv1uYYZ2VKgIBuqT0NRms9qFPkpsOga5NgYU/jJCsaXpwigYmcXIpZn
TzHwNL62aAs5zXftLyhmqafpoQHU1m+39o9FeiT+lTGbGLhzWu1c/HvxMLniaIgz
HcNU9cgHr6lEtDi0BVuLtNT8+SQopUCuTY55MkYBtLOciFG2ipx3dBNu/awrYe+e
6h6l8tbFFkAaF6Tus1H4nvEsY8BdemmXRmB1GVZzduwRlEMsRkMMtb4ggKnz+s7r
ZHTvmIYJ4QERvvpdbEB9jl2EesH9sjPZ5uqcDknxGMd10itHsuMCkVAL5fdu8JtZ
AW7CI24GPWlyfdnZ1nsKkZn441bXCvKfNt9L98DmwQbkHas0Y7Yv8/MEbPKDm9im
8eEOCNQ88PqBEKo3D9wFBuKhw6I7aEkajDpiec/4HMkWaPyvCUikuxFeBaz4Akon
dDMOHTqOrl+VMkKk6DOT0Nc8ZfY1j2UlX4Uc+F//cGhrBob/ifDHJpt4mpS7/gNE
OhAjBH+LsYfBMu4y3hU2wRkIoRn2+XoLQsoBvQv50Xx5lRUtLAcy0l8HjHtskiQ0
LFAlXVgnzfVkQ4Br+74tEI7peqAVql/I2wQdGMrKEPNgNdzHapA=
=A9HW
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3982-1] webkit2gtk security update
Next by Date: [SECURITY] [DLA 3984-1] zabbix security update
Previous by thread: [SECURITY] [DLA 3982-1] webkit2gtk security update
Next by thread: [SECURITY] [DLA 3984-1] zabbix security update
Index(es):
- Date
- Thread