--------------------------------------------------------------------------- Debian Volatile Update Announcement VUA 32-1 http://volatile.debian.org debian-volatile@lists.debian.org Andreas Barth June 01st, 2007 --------------------------------------------------------------------------- Package : clamav Version : 0.90.3-0volatile1 and 0.90.3-1~volatile1 Importance : high CVE IDs : CVE-2007-2650 3 further CVE IDs not yet assigned The following security flaws were found and fixed in clamav: [CVE-2007-2650]: libclamav/ole2_extract.c: detect block list loop [CVE-2007-XXXX]: libclamav/unsp.c: fix end of buffer calculation [CVE-2007-XXXX]: libclamav/unrar/unrar.c: heap corruption causing DoS with corrupted rar archive, better handle truncated files [CVE-2007-XXXX]: libclamav/others.c: tighten permissions on unpacked files For sarge, an updated clamav package is available in sarge/volatile as version 0.90.3-0volatile1. For etch, an updated clamav package is available in etch/volatile as version 0.90.3-1~volatile1. We recommend that you update your system. This advisory was sent out without builds for alpha, m68k, mips, mipsel and sparc architectures being available. They will be released as soon as they are available. Upgrade Instructions -------------------- You can get the updated packages at http://volatile.debian.org/debian-volatile/pool/volatile/main/c/clamav and install them with dpkg, or add for sarge deb http://volatile.debian.org/debian-volatile sarge/volatile main deb-src http://volatile.debian.org/debian-volatile sarge/volatile main or for etch deb http://volatile.debian.org/debian-volatile etch/volatile main deb-src http://volatile.debian.org/debian-volatile etch/volatile main to your /etc/apt/sources.list. You can also use any of our mirrors. See http://www.debian.org/volatile/volatile-mirrors for the full list of mirrors. The archive signing keys can be downloaded from http://volatile.debian.org/ziyi-sarge.asc and http://volatile.debian.org/ziyi-etch.asc For further information about debian-volatile, please refer to http://volatile.debian.org/ and http://www.debian.org/volatile/. If there are any issues, please don't hesitate to get in touch with the volatile team.
Attachment:
signature.asc
Description: Digital signature