[VUA 54-1] Updated clamav package fixes security flaw

To: debian-volatile-announce@lists.debian.org
Subject: [VUA 54-1] Updated clamav package fixes security flaw
From: Martin Zobel-Helas <zobel@ftbfs.de>
Date: Tue, 14 Apr 2009 17:43:20 +0200
Message-id: <[🔎] 20090414154319.GA14836@ftbfs.de>

---------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 54-1     http://volatile.debian.org
debian-volatile@lists.debian.org                         Michael Tautschnig
April 14, 2009
---------------------------------------------------------------------------

Package              : clamav
Version              : 0.94.dfsg.2-1~volatile3
Importance           : high
CVE IDs              : CVE-2008-6680, CVE-2009-1270 and unkown

The following security flaws were found and fixed in the ClamAV 
anti-virus toolkit:

CVE-2008-6680

    libclamav/pe.c in ClamAV before 0.95 allows remote attackers to 
    cause a denial of service (crash) via a crafted EXE file that 
    triggers a divide-by-zero error.

CVE-2009-1270

    libclamav/untar.c in ClamAV before 0.95 allows remote attackers 
    to cause a denial of service (infinite loop) via a crafted file 
    that causes (1) clamd and (2) clamscan to hang.

no CVE yet
    libclamav/other.h in ClamAV before 0.95.1 allows remote attackers 
    to cause a denial of service (crash) via crafted EXE files packed 
    using UPack.

For etch, an updated ClamAV package is available in etch/volatile as
version 0.94.dfsg.2-1~volatile3 which incorporates only above security
fixes for 0.94. An updated package with version 0.95.1 of the ClamAV 
package will follow soon.


Upgrade Instructions
--------------------

You can get the updated packages at

http://volatile.debian.org/debian-volatile/pool/volatile/main/c/clamav/

and install them with dpkg, or add 

 deb http://volatile.debian.org/debian-volatile etch/volatile main
 deb-src http://volatile.debian.org/debian-volatile etch/volatile main

to your /etc/apt/sources.list. You can also use any of our mirrors.  See
http://www.debian.org/volatile/volatile-mirrors for the full list of
mirrors.  The archive signing keys can be downloaded from
http://volatile.debian.org/ziyi-etch.asc and additionaly was included in
the stable point release r1 in Debian Etch.

For further information about debian-volatile, please refer to
http://www.debian.org/volatile/.

If there are any issues, please don't hesitate to get in touch with the
debian-volatile team.

-- 
 Martin Zobel-Helas <zobel@debian.org>  | Debian System Administrator
 Debian & GNU/Linux Developer           |           Debian Listmaster
 Public key http://zobel.ftbfs.de/5d64f870.asc   -   KeyID: 5D64 F870
 GPG Fingerprint:  5DB3 1301 375A A50F 07E7  302F 493E FB8E 5D64 F870

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: [VUA 2-2] Discontinuation of clamav-data
Next by Date: [VUA 55-1] Updated clamav version
Previous by thread: [VUA 2-2] Discontinuation of clamav-data
Next by thread: [VUA 55-1] Updated clamav version
Index(es):
- Date
- Thread