Bug#904199: stretch-pu: package clamav/ 0.100.0+dfsg-0+deb9u2
On Sat, 2018-07-28 at 10:48 +0200, Sebastian Andrzej Siewior wrote:
> On 2018-07-28 09:24:28 [+0100], Adam D. Barratt wrote:
> > Was the intent that the package would be pushed via -updates?
>
> Yes, please. If you need additinal information I can provide then on
> Sunday evening.
My weekend's ended up busier than I expected, so unfortunately I didn't
get chance to sort this out yet.
How does the below sound as a draft for the relevant part of the SUA?
(Based on the style of some previous SUAs - and indeed VUAs - for new
clamav upstream versions.)
<draft>
ClamAV is an AntiVirus toolkit for Unix.
Upstream published version 0.100.1.
This is a mostly a bug-fix release. The changes are not strictly
required for operation, but users of the previous version in stretch
may not be able to make use of all current virus signatures and might
get warnings.
Changes since 0.100.0 currently in stretch include fixes for two
security issues.
CVE-2018-0360
ClamAV before 0.100.1 has an HWP integer overflow with a resultant
infinite loop via a crafted Hangul Word Processor file.
CVE-2018-0361
ClamAV before 0.100.1 lacks a PDF object length check, resulting
in an unreasonably long time to parse a relatively small file.
</draft>
Apologies if the initial section is incorrect, it wasn't entirely clear
to me whether there would be warnings for the bump from 0.100.0 to
0.100.1.
Regards,
Adam
Reply to: