[SECURITY] [DLA 4292-1] clamav security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4292-1] clamav security update
From: Lucas Kanashiro <kanashiro@debian.org>
Date: Thu, 04 Sep 2025 09:40:32 -0300
Message-id: <[🔎] 6c58999086a312006015eb057b8e00c1@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4292-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Lucas Kanashiro
September 04, 2025                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : clamav
Version        : 1.0.9+dfsg-1~deb11u1
CVE ID         : CVE-2025-20128 CVE-2025-20260
Debian Bug     : 1093880 1108046

A couple of vulnerabilities have been fixed in ClamAV, an anti-virus utility
for Unix.

CVE-2025-20128

    The Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV
    could allow an unauthenticated, remote attacker to cause a denial of service
    (DoS) condition on an affected device.

CVE-2025-20260

    The PDF scanning processes of ClamAV could allow an unauthenticated, remote
    attacker to cause a buffer overflow condition, cause a denial of service (DoS)
    condition, or execute arbitrary code on an affected device.

For Debian 11 bullseye, these problems have been fixed in version
1.0.9+dfsg-1~deb11u1.

We recommend that you upgrade your clamav packages.

For the detailed security status of clamav please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/clamav

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAmi5h/sACgkQ+COicpiD
yXyo6xAAiVTs8S+AMf95qNZiymT7vrCpFQASg/eGn2Lh7/Pfv8q35TR+yRJwz79c
QiZ+9/ow2T0W6zca5vbZyReGwLgPTYwQgDq5L8pUmD7pFWf2qx2e8ub4G8KzMldH
0HOPL7n2H25IaS2yjMQoa8y4Vy8t43U6eM43swQt26kuo35ihm9FcGVgoJ2isntK
kUwBdwHzzjFXPv/0FCn1LO6SSoJqDOOJkHP36GARDl0hbLI/z9pBaE18c7fmt5KR
UfWGpVI3jG5wG685TE/b8smGVgJ2twZ79H3IckkWRyfQilMhnVzdMN2FT3IpjyYv
VxLg69/mNTxvQ4wb3pjqGpAsKywGzuxrLt+6jbG2P8LPUyKGSIcqu6/aNcFGdFmR
CDPaTc68wnt9aYBaiZoyRCu9ZVd/P+UOqBACWPni+zO9CyF7X7W3Euul5h1q7Mo6
QTjfrpCnTRoyKT+MK/dAeueNrs7RWs5DKvK7M/gl5kW8X2hMRhy9HKpvX+nWHCB7
Ce9R1H8ZmwT8OD9j0fu6o9319fbLJPPPQXxo/tTVFeOXB7szoTjBn+UTTq7JChXK
YKB8FN3vF+4iC0ZcblsBg0haN84ibCc4ocuyqZQ2Ggwlr5f+8/XUhHCsck/g0v+N
6UH7BeH9PBgOsOEyYXo1iLy3Q0R+WR1Lk0kjIDjTE2ZoPvBT7ic=
=z6U9
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4291-1] node-cipher-base security update
Previous by thread: [SECURITY] [DLA 4291-1] node-cipher-base security update
Index(es):
- Date
- Thread