thomas: doc/www/src/security kolab-vendor-notice-03.txt,NONE,1.1
cvs at intevation.de
cvs at intevation.de
Wed Sep 21 18:18:47 CEST 2005
Author: thomas
Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv22064
Added Files:
kolab-vendor-notice-03.txt
Log Message:
Add security advisory for remotely exploitable clamav vulnerabilities.
--- NEW FILE: kolab-vendor-notice-03.txt ---
Kolab Security Issue 03 20050921
================================
Package: Kolab Server
Vulnerability: buffer overflow, DOS, remotely exploitable
Kolab Specific: no
Dependent Packages: none
Summary
-------
The Clam AntiVirus package contains a boundary condition error and fails
to handle exceptional conditions, which can be exploited remotely.
Affected Versions
-----------------
This affects all servers which have ClamAV 0.86.2 or earlier versions running.
Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected.
Fixes
-----
Upgrade to ClamAV 0.87.
A new ClamAV RPM is available from the Kolab download mirrors as
security-updates/20050921/clamav-0.87-20050916.src.rpm
A binary RPM for Debian woody (ix86) is available as
security-updates/20050921/clamav-0.87-20050916.ix86-debian3.0-kolab.rpm
The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tzv rsync://rsync.kolab.org/kolab/server/security-updates/20050921/clamav-0.87-20050916.src.rpm
This package can be installed on your Kolab Server with
# /kolab/bin/openpkg rpm --rebuild clamav-0.87-20050916.src.rpm
# /kolab/bin/openpkg rpm \
-Uvh /kolab/RPM/PKG/clamav-0.87-20050916.<ARCH>-<OS>-kolab.rpm
A new /kolab/etc/clamav/clamav.conf will probably be written, remove the
clamav.conf.rpmsave file, run kolabconf and make sure clamav starts:
# rm /kolab/etc/clamav/clamav.conf
# /kolab/sbin/kolabconf
# /kolab/etc/rc clamav start
##optional
# /kolab/bin/freshclam
Details
-------
http://www.securityfocus.com/bid/14866
ClamAV UPX Compressed Executable Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/14867
ClamAV FSG Compressed Executable Infinite Loop DOS Vulnerability
Timeline
--------
20050916 clamav vendor released combined security and functional update
20050921 kolab update and security advisory published
More information about the commits
mailing list