---------------------------------------------------------------------------- Debian Volatile Update Announcement VUA 42-2 http://volatile.debian.org debian-volatile@lists.debian.org Stephen Gran, Andi Barth February 13th, 2008 ---------------------------------------------------------------------------- Package : clamav Version : etch: 0.92.1~dfsg-1volatile1, sarge: 0.92.1dfsg-0volatile1 Importance : high CVE IDs : CVE-2007-6595, CVE-2008-0318 The following security flaws were found and fixed in clamav: CVE-2007-6595: symlink attack allows to overwrite arbitrary files by local users via cli_gentempfd in libclamav/others.c or in sigtool with utf16-decode enabled. CVE-2008-0318: integer overflow in libclamav/pe.c By popular request, we add an update for sarge for clamav as well. The etch version has already been published with VUA42-1. However, we still want to encourage you to upgrade your systems to Etch - we don't promise whether any next version of clamav will have a sarge release as well. Additionally, our sarge apt key has expired, so we used the etch apt key to sign the release file. Upgrade Instructions --------------------- You can get the updated packages at http://volatile.debian.org/debian-volatile/pool/volatile/main/c/clamav and install them with dpkg, or add deb http://volatile.debian.org/debian-volatile sarge/volatile main deb-src http://volatile.debian.org/debian-volatile sarge/volatile main to your /etc/apt/sources.list. You can also use any of our mirrors. See http://www.debian.org/volatile/volatile-mirrors for the full list of mirrors. The archive signing keys is available from http://volatile.debian.org/ziyi-etch.asc, and has been included since the stable point release r1 in Debian Etch. For further information about debian-volatile, please refer to http://www.debian.org/volatile/. If there are any issues, please don't hesitate to get in touch with the debian-volatile team via debian-volatile@lists.debian.org.
Attachment:
signature.asc
Description: Digital signature