[Kolab-announce] Kolab Security Issue 25 20091117 (clamav)

Thomas Arendsen Hein thomas at intevation.de
Tue Nov 17 17:18:25 CET 2009

Kolab Security Issue 25 20091117

Package:              Kolab Server, ClamAV
Vulnerability:        various
Kolab Specific:       no
Dependent Packages:   none


ClamAV is prone to multiple vulnerabilities because it fails to properly
restrict certain files after scanning them. A successful attack may allow
malicious users to bypass security restrictions placed on certain files.

Further unpublished vulnerabilities may habe been fixed.

Affected Versions

This affects versions of ClamAV up to version 0.95.1
Kolab Server 2.2.2 and previous releases are affected.


Upgrade to ClamAV 0.95.3.

OpenPKG packages for Kolab Server 2.2.2 are available from
or from the mirrors listed on http://kolab.org/mirrors.html

A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Lenny)
is available as clamav-0.95.3-20091030.ix86-debian5.0-kolab.rpm

A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Etch)
is available as clamav-0.95.3-20091030.ix86-debian4.0-kolab.rpm

The source and binary packages have been verified to work with Kolab Server
2.2.0, so you can upgrade this package without doing a full upgrade.

All other server versions: Please upgrade to Kolab Server 2.2.x and install
the updated package.

You can check the integrity of the downloaded files with:

$ gpg --keyserver keys.gnupg.net --recv-key 5816791A
  or import the key from https://www.intevation.de/~thomas/gpg_pub_key.asc
$ gpg --verify SHA1SUMS.sig
$ sha1sum -c SHA1SUMS

The source package can be compiled and installed on your Kolab Server with:

# su - kolab
$ openpkg rpm --rebuild ...path/to.../clamav-0.95.3-20091030.src.rpm
$ openpkg rpm -Uvh /kolab/RPM/PKG/clamav-0.95.3-20091030.<ARCH>-<OS>-kolab.rpm
$ rm /kolab/etc/clamav/*.rpmsave
$ openpkg rc clamav stop
$ openpkg rc clamav start
$ exit
# su - kolab-r
$ freshclam
$ rm -r /kolab/share/clamav/*.inc

To install a binary package, just skip the --rebuild step.


	ClamAV 0.95.2 release notes

(bugfix release, only the ChangeLog has been published)
	ClamAV 0.95.3 release notes

	ClamAV CAB/RAR/ZIP File Scan Evasion Vulnerability

	ClamAV Embedded Archive File Scan Evasion Vulnerability

	ClamAV Prior to 0.95.2 Multiple Scanner Bypass Vulnerabilities

    20090610 ClamAV release 0.95.2.
    20091028 ClamAV release 0.95.3.
    20091030 Update available via Kolab CVS, started testing.
    20091117 Kolab Server security advisory published.

thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/announce/attachments/20091117/5c42abb3/attachment.sig>

More information about the announce mailing list