Bug#1063621: bookworm-pu: package clamav/clamav_1.0.5+dfsg-1~deb12u1
On 2024-02-09 23:12:18 [+0100], To submit@bugs.debian.org wrote:
> Package: release.debian.org
> Control: affects -1 + src:clamav
> X-Debbugs-Cc: clamav@packages.debian.org
> User: release.debian.org@packages.debian.org
> Usertags: pu
> Tags: bookworm
> Severity: normal
>
> This is an update to the latest clamav release in the 1.0.x series. This
> update closes two CVEs:
>
> - CVE-2024-20290: Fixed a possible heap overflow read bug in the OLE2 file
> parser that could cause a denial-of-service (DoS) condition.
>
> - CVE-2024-20328: Fixed a possible command injection vulnerability in the
> "VirusEvent" feature of ClamAV's ClamD service.
>
> To fix this issue, we disabled the '%f' format string parameter. ClamD
> administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment
> variable, instead of '%f'. But you should do so only from within an
> executable, such as a Python script, and not directly in the clamd.conf
> "VirusEvent" command.
A friendly ping.
Sebastian
Reply to: