[VUA 25-1] Updated clamav package fixes security flaw

To: Debian Volatile Announce <debian-volatile-announce@lists.debian.org>
Subject: [VUA 25-1] Updated clamav package fixes security flaw
From: "Felipe Augusto van de Wiel (faw)" <faw@debian.org>
Date: Fri, 16 Feb 2007 14:35:51 -0200
Message-id: <[🔎] 45D5DD67.3020906@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 25-1     http://volatile.debian.net
debian-volatile@lists.debian.org                 Felipe Augusto van de Wiel
February 16th, 2007.
- ---------------------------------------------------------------------------

Package              : clamav
Version              : 0.88.7-0volatile2
Importance           : high
CVE IDs              : CVE-2007-0897
		       CVE-2007-0898
		       CVE-2007-0899

The following security flaws were found and fixed in clamav:

CVE-2007-0897: CAB File Denial of Service Vulnerability
CVE-2007-0898: MIME Parsing Directory Traversal Vulnerability
CVE-2007-0899: Possible heap overflow in libclamav/fsg.c

For sarge, an updated clamav package is available in sarge/volatile
as version 0.88.7-0volatile2. We recommend that you update your system.

Important to note that this is _NOT_ the new clamav upstream version 0.90
but for now only a security fix of 0.88.7-0volatile1.

This advisory was sent out without builds for m68k, mipsel and s390
architectures being available. They will be released as soon as they are
available.


Upgrade Instructions
- --------------------

You can get the updated packages at

http://volatile.debian.net/debian-volatile/pool/volatile/main/c/clamav/

and install them with dpkg, or add

 deb http://volatile.debian.net/debian-volatile sarge/volatile main
 deb-src http://volatile.debian.net/debian-volatile sarge/volatile main

to your /etc/apt/sources.list. You can also use any of our mirrors.
See http://www.debian.org/devel/debian-volatile/volatile-mirrors for
the full list of mirrors.  The archive signing key can be downloaded from
http://volatile.debian.net/ziyi-sarge.asc

For further information about debian-volatile, please refer to
http://volatile.debian.net/ and http://www.debian.org/devel/debian-volatile/.

If there are any issues, please don't hesitate to get in touch with the
volatile team.

- --
Felipe Augusto van de Wiel (faw)
"Debian. Freedom to code. Code to freedom!"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF1d1mCjAO0JDlykYRAnZHAKCp2F7fDeYUfZY9GNCEE2OZQCjABwCeJs04
yXZgibVfSMSyFfdkegx5hs8=
=PlPI
-----END PGP SIGNATURE-----

Reply to:

Next by Date: [VUA 26-1] Updated spamassassin packages fixes denial of service
Next by thread: [VUA 26-1] Updated spamassassin packages fixes denial of service
Index(es):
- Date
- Thread