thomas: doc/www/src/security kolab-vendor-notice-15.txt,NONE,1.1
cvs at kolab.org
cvs at kolab.org
Fri Jun 1 18:14:38 CEST 2007
Author: thomas
Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv30410
Added Files:
kolab-vendor-notice-15.txt
Log Message:
Kolab Security Issue 15 20070601 (clamav)
--- NEW FILE: kolab-vendor-notice-15.txt ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kolab Security Issue 15 20070601
================================
Package: Kolab Server, ClamAV
Vulnerability: denial of service, insecure temporary files
Kolab Specific: no
Dependent Packages: none
Summary
~~~~~~~
- libclamav/unsp.c: fix end of buffer calculation (bb#464, patch from aCaB)
- libclamav/others.c: use strict permissions (0600) for temporary files
created in cli_gentempstream() (bb#517). Reported by Christoph Probst.
- libclamav/unrar/unrar.c: heap corruption causing DoS with corrupted
rar archive, better handle truncated files
- libclamav/phishcheck.c: isURL() regex execution hangs on Solaris
- libclamav/ole2_extract.c: detect block list loop (bb#466), patch from Trog
Affected Versions
~~~~~~~~~~~~~~~~~
This affects versions of ClamAV up to version 0.90.2.
Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected,
please upgrade to Kolab Server 2.1.0 first.
Fix
~~~
Upgrade to ClamAV 0.90.3.
The ClamAV source RPM is available from the Kolab download mirrors as:
security-updates/20070601/clamav-0.90.3-20070531_kolab.src.rpm
A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux Sarge) is available:
security-updates/20070601/clamav-0.90.3-20070531_kolab.ix86-debian3.1-kolab.rpm
All other server versions: Please build from the src.rpm.
The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20070601/clamav-0.90.3-20070531_kolab.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20070601/clamav-0.90.3-20070531_kolab.ix86-debian3.1-kolab.rpm .
MD5 sums:
1af188d728d10d9df9708a2ab3e89e78 clamav-0.90.3-20070531_kolab.ix86-debian3.1-kolab.rpm
53097670b452fdab2c20193d27d1c479 clamav-0.90.3-20070531_kolab.src.rpm
The package can be installed on your Kolab Server with
# /kolab/bin/openpkg rpm --rebuild clamav-0.90.3-20070531_kolab.src.rpm
# /kolab/bin/openpkg rpm \
-Uvh /kolab/RPM/PKG/clamav-0.90.3-20070531_kolab.<ARCH>-<OS>-kolab.rpm
# su - kolab-r
$ freshclam
Details
~~~~~~~
http://sourceforge.net/project/shownotes.php?release_id=512356
ClamAV 0.90.3 release notes
Timeline
~~~~~~~~
20070530 ClamAV release 0.90.3.
20070531 OpenPKG 0.90.3 package release.
20070601 Kolab Server security advisory published.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFGYEUqW7P1GVgWeRoRAi5jAJ4zw3zAH6qcg2Z3p3aMBewaayEntwCghcvi
uQqR9EIOgrBcdgjdrp8Cnow=
=UJ7k
-----END PGP SIGNATURE-----
More information about the commits
mailing list