[Technik] [SECURITY] [DSA 1366-1] New clamav packages fix several vulnerabilities

Noèl Köthe noel at debian.org
Mon Sep 3 17:38:41 CEST 2007 

Am Samstag, den 01.09.2007, 13:53 +0200 schrieb Moritz Muehlenhoff:

> Debian Security Advisory DSA 1366-1                    security at debian.org
> http://www.debian.org/security/                         Moritz Muehlenhoff
> September 1st, 2007                     http://www.debian.org/security/faq
> 
> Package        : clamav
> Vulnerability  : several
> Problem-Type   : remote
> Debian-specific: no
> CVE ID         : CVE-2007-4510 CVE-2007-4560

clamav auf yuma, h01, h02, h03 und h04 aktualisiert.

> The oldstable distribution (sarge) is only affected by a subset of 
> the problems. An update will be provided later.

wir nutzen volatile auf h0x:
clamav (0.91.2-0volatile1) sarge-volatile; urgency=low

  * New upstream version
    - fix call to tolower() which led to a crash in libclamav
    - fix possible NULL dereference, e.g. when parsing email with RFC2397
      URI
    - fix floating point exception when using ScanOLE2
    - fix possible NULL dereference in rtf.c
  * Handle new option DetectPUA in maintainer scripts

 -- Stephen Gran <sgran at debian.org>  Tue, 21 Aug 2007 11:28:02 +0100


> For the stable distribution (etch) these problems have been fixed
> in version 0.90.1-3etch7.

clamav (0.90.1-3etch7) stable-security; urgency=low

  * Rebuild with bumped version number

 -- Stephen Gran <sgran at debian.org>  Wed, 29 Aug 2007 14:10:31 +0100

clamav (0.90.1-3etch6) stable-security; urgency=low

  * Remove unnecessary 33_htmlnorm.c.crash.dpatch
  * 36_clamav-milter.c.CVE-2007-4560.dpatch:
    [CVE-2007-4560]: arbitrary code execution via clamav-milter's blackhole
    function

 -- Stephen Gran <sgran at debian.org>  Wed, 29 Aug 2007 12:44:52 +0100

clamav (0.90.1-3etch5) stable-security; urgency=low

  * fix call to tolower() which led to a crash in libclamav/htmlnorm.c
  * fix possible NULL dereference in rtf.c
  * fix possible NULL dereference when parsing email with RFC2397 URI

 -- Stephen Gran <sgran at debian.org>  Tue, 21 Aug 2007 21:31:13 +0100

-- 
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : /archiv/technik/attachments/20070903/4c740226/attachment.pgp

More information about the Technik mailing list