--------------------------------------------------------------------------- Debian Volatile Update Announcement VUA 55-1 http://volatile.debian.org debian-volatile@lists.debian.org Stephen Gran Apr 29, 2009 --------------------------------------------------------------------------- Package : clamav Version : 0.95.1+dfsg-0volatile2 (Etch), 0.95.1+dfsg-1volatile2 (Lenny) Importance : medium CVE IDs : CVE-2008-6680, CVE-2009-1270 Upstream published version 0.95.1. Though the changes are not strictly required for operation, users of the previous version in volatile might get warnings. The new version contains these enhancements: - Google Safe Browsing support: in addition to the heuristic and signature based phishing detection mechanisms already available in ClamAV, the scanner can now make use of the Google's blacklists of suspected phishing and malware sites. The ClamAV Project distributes a constantly updated Safe Browsing database, which can be automatically fetched by freshclam. For more information, please see freshclam.conf(5) and http://safebrowsing.clamav.net. - New clamav-milter: The program has been redesigned and rewritten from scratch. The most notable difference is that the internal mode has been dropped which means that now a working clamd companion is required. The milter now also has its own configuration file. - Clamd extensions: The protocol has been extended to lighten the load that clamd puts on the system, solve limitations of the old protocol, and reduce latency when signature updates are received. For more information about the new extensions please see the official documentation and the upgrade notes. - Improved API: The API used to program ClamAV's engine (libclamav) has been redesigned to use modern object-oriented techniques and solves various API/ABI compatibility issues between old and new releases. You can find more information in Section 6 of clamdoc.pdf and in the upgrade notes. - ClamdTOP: This is a new program that allows system administrators to monitor clamd. It provides information about the items in the clamd's queue, clamd's memory usage, and the version of the signature database, all in real-time and in nice curses-based interface. - Memory Pool Allocator: Libclamav now includes its own memory pool allocator based on memory mapping. This new solution replaces the traditional malloc/free system for the copy of the signatures that is kept in memory. As a result, clamd requires much less memory, particularly when signature updates are received and the database is loaded into memory. - Unified Option Parser: Prior to version 0.95 each program in ClamAV's suite of programs had its own set of runtime options. The new general parser brings consistency of use and validation to these options across the suite. Some command line switches of clamscan have been renamed (the old ones will still be accepted but will have no effect and will result in warnings), please see clamscan(1) and clamscan --help for the details. The following security flaws present in lenny were found and fixed in clamav: CVE-2008-6680 Attackers can cayse a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error. CVE-2009-1270 Attackers can cause a denial of service (infinite loop) via a crafted tar file that causes (1) clamd and (2) clamscan to hang. (no CVE Id yet) Attackers can cause a denial of service (crash) via a crafted EXE file that crashes the UPack unpacker. If you use clamav, we recommend you upgrade to this version. For Lenny these security fixes are also present in version 0.94.dfsg.2-1lenny2 in the security archive, if you hesitate to upgrade to a new upstream version. Upgrade Instructions -------------------- You can get the updated packages at http://volatile.debian.org/debian-volatile/pool/volatile/main/c/clamav/ and install them with dpkg, or add the volatile archive for Lenny to your /etc/apt/sources.list: deb http://volatile.debian.org/debian-volatile lenny/volatile main deb-src http://volatile.debian.org/debian-volatile lenny/volatile main You can also use any of our mirrors. See http://www.debian.org/volatile/volatile-mirrors for the full list of mirrors. The archive signing keys were included in Debian Lenny. For further information about debian-volatile, please refer to http://www.debian.org/volatile/. If there are any issues, please don't hesitate to get in touch with the debian-volatile team.
Attachment:
signature.asc
Description: Digital signature