[VUA 36-1] Updated clamav package fixes security flaw

To: debian-volatile-announce@lists.debian.org
Subject: [VUA 36-1] Updated clamav package fixes security flaw
From: Martin Zobel-Helas <zobel@debian.org>
Date: Tue, 21 Aug 2007 22:53:53 +0200
Message-id: <[🔎] 20070821205353.GA1069@solar.ftbfs.de>
Reply-to: debian-volatile@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 36-1     http://volatile.debian.org
debian-volatile@lists.debian.org                               Stephen Gran
August 21, 2007
- ---------------------------------------------------------------------------

Package              : clamav
Version              : 0.91.2-0volatile1 and 0.91.1-2~volatile1
Importance           : high
CVE IDs              : N/A

The following securitys flaw were found and fixed in clamav:

 [CVE-2007-XXXX] fix call to tolower() which led to a crash in libclamav
 [CVE-2007-XXXX] fix possible NULL dereference, e.g. when parsing email 
                 with RFC2397 URI
 [CVE-2007-XXXX] fix floating point exception when using ScanOLE2
 [CVE-2007-XXXX] fix possible NULL dereference in rtf.c

For sarge, an updated clamav package is available in sarge/volatile
as version 0.91.2-0volatile1.

For etch, an updated clamav package is available in etch/volatile 
as version 0.91.2-1~volatile1.

We recommend that you update your system.

This advisory was sent out without builds for arm, hppa and sparc being
available for etch/volatile and without builds for arm, hppa, m68k,
mips, mipsel and sparc being available for sarge/volatile. They will be
released as soon as they are available.


Upgrade Instructions
- --------------------

You can get the updated packages at

http://volatile.debian.org/debian-volatile/pool/volatile/main/c/clamav

and install them with dpkg, or add for sarge

 deb http://volatile.debian.org/debian-volatile sarge/volatile main
 deb-src http://volatile.debian.org/debian-volatile sarge/volatile main

or for etch

 deb http://volatile.debian.org/debian-volatile etch/volatile main
 deb-src http://volatile.debian.org/debian-volatile etch/volatile main

to your /etc/apt/sources.list. You can also use any of our mirrors.  See
http://www.debian.org/volatile/volatile-mirrors for the full list of
mirrors.  The archive signing keys can be downloaded from
http://volatile.debian.org/ziyi-sarge.asc and
http://volatile.debian.org/ziyi-etch.asc

For further information about debian-volatile, please refer to
http://www.debian.org/volatile/.

If there are any issues, please don't hesitate to get in touch with the
debian-volatile team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGy1DhST77jl1k+HARAuC4AJ9mRN6QNy9HdEIADI3jOyErSPrHsQCghQ7H
uXQOytvOvijXMQ69GqKpMpY=
=g2CK
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [VUA 35-1] Updated avscan package
Next by Date: [VUA 37-1] Updated SpamAssassin package fixes security flaw
Previous by thread: [VUA 35-1] Updated avscan package
Next by thread: [VUA 37-1] Updated SpamAssassin package fixes security flaw
Index(es):
- Date
- Thread