[VUA 19-2] Updated clamav packages fixes security flaw

To: debian-volatile-announce@lists.debian.org
Subject: [VUA 19-2] Updated clamav packages fixes security flaw
From: Andreas Barth <aba@not.so.argh.org>
Date: Tue, 8 Aug 2006 21:39:04 +0200
Message-id: <[🔎] 20060808193904.GR18399@mails.so.argh.org>
Mail-followup-to: Andreas Barth <aba@not.so.argh.org>, debian-volatile-announce@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 18-2     http://volatile.debian.net
debian-volatile@lists.debian.org                              Andreas Barth
August 8th, 2006
- ---------------------------------------------------------------------------

[ This update just adds the CVE ID CVE-2006-4018. ]

Package              : clamav
Version              : 0.88.4-0volatile1
Importance           : high
CVE IDs              : CVE-2006-4018

The following security flaw was found and fixed in clamav:

CVE-2006-4018:

    Damian Put has discovered a vulnerability in Clam AntiVirus, which can be
    exploited by malicious people to cause a DoS (Denial of Service) and
    potentially compromise a vulnerable system.

    The vulnerability is caused due to an boundary error in the "pefromupx()"
    function in libclamav/upx.c when unpacking PE executable files compressed
    with UPX. This can be exploited to cause a heap-based buffer overflow via a
    specially crafted UPX compressed file.

    This vulnerability has been published without assigning an CVE ID. We are
    sorry for the inconvenience.


For sarge, an updated clamav package is available in sarge/volatile
as version 0.88.4-0volatile1. We recommend that you update your system.


Upgrade Instructions
- --------------------

You can get the updated packages at

http://volatile.debian.net/debian-volatile/pool/volatile/main/c/clamav/

and install them with dpkg, or add

 deb http://volatile.debian.net/debian-volatile sarge/volatile main
 deb-src http://volatile.debian.net/debian-volatile sarge/volatile main

to your /etc/apt/sources.list. You can also use any of our mirrors.
Please see http://www.debian.org/devel/debian-volatile/volatile-mirrors for
the full list of mirrors.  The archive signing key can be downloaded from
http://volatile.debian.net/ziyi-sarge.asc

For further information about debian-volatile, please refer to
http://volatile.debian.net/ and http://www.debian.org/devel/debian-volatile/.

If there are any issues, please don't hesitate to get in touch with the
volatile team.
- -- 
  http://home.arcor.de/andreas-barth/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFE2OhYmdOZoew2oYURAtxaAKC31gHXkU5u10zTAIhUDAAhZT1mKQCfd+XM
pTMNlI46yDqzWU1mkvKibqw=
=nd8l
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [VUA 19-1] Updated clamav packages fixes security flaw
Next by Date: [VUA 20-1] Updated spamassassin package adds new features and fixes some minor bugs
Previous by thread: [VUA 19-1] Updated clamav packages fixes security flaw
Next by thread: [VUA 20-1] Updated spamassassin package adds new features and fixes some minor bugs
Index(es):
- Date
- Thread