[VUA 13-1] Updated clamav packages fixes security flaw

To: debian-volatile-announce@lists.debian.org
Subject: [VUA 13-1] Updated clamav packages fixes security flaw
From: Andreas Barth <aba@not.so.argh.org>
Date: Thu, 6 Apr 2006 09:57:26 +0200
Message-id: <[🔎] 20060406075726.GB26360@mails.so.argh.org>
Mail-followup-to: Andreas Barth <aba@not.so.argh.org>, debian-volatile-announce@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 13-1     http://volatile.debian.net
debian-volatile@lists.debian.org                              Andreas Barth
April 6th, 2006
- ---------------------------------------------------------------------------


Package              : clamav
Version              : 0.88.1-0volatile2
Importance           : high
CVE IDs              : CVE-2006-1614 CVE-2006-1615 CVE-2006-1630

The following security flaws were found and fixed in clamav:

CVE-2006-1614

    Damian Put discovered an integer overflow in the PE header parser.
    This is only exploitable if the ArchiveMaxFileSize option is disabled.

CVE-2006-1615

    Format string vulnerabilities in the logging code have been discovered,
    which might lead to the execution of arbitrary code.

CVE-2006-1630

    David Luyer discovered, that ClamAV can be tricked into an invalid
    memory access in the cli_bitset_set() function, which may lead to
    a denial of service.

Also the handling of incorrectly created/handcrafted zip archives has
been improved.

For sarge, an updated clamav package is available in sarge/volatile
as version 0.88.1-0volatile2. We recommend that you update your system.


Upgrade Instructions
- --------------------

You can get the updated packages at

http://volatile.debian.net/debian-volatile/pool/volatile/main/c/clamav/

and install them with dpkg, or add

 deb http://volatile.debian.net/debian-volatile sarge/volatile main
 deb-src http://volatile.debian.net/debian-volatile sarge/volatile main

to your /etc/apt/sources.list. You can also use any of our mirrors.  
Please see http://www.debian.org/devel/debian-volatile/volatile-mirrors for
the full list of mirrors.  The archive signing key can be downloaded from
http://volatile.debian.net/ziyi-sarge.asc

For further information about debian-volatile, please refer to
http://volatile.debian.net/ and http://www.debian.org/devel/debian-volatile/.

If there are any issues, please don't hesitate to get in touch with the
volatile team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFENMnmmdOZoew2oYURAiX2AJ4jxWkAvmIME0v7058HUFanxYfOmwCgnYDD
rIqMJ6Ss+kjHvYRYPazz7mw=
=oKf7
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [VUA 12-1] Updated postgrey packages update whitelist
Next by Date: [VUA 14-1] Updated clamav packages fixes security flaw
Previous by thread: [VUA 12-1] Updated postgrey packages update whitelist
Next by thread: [VUA 14-1] Updated clamav packages fixes security flaw
Index(es):
- Date
- Thread