thomas: doc/www/src/security kolab-vendor-notice-05.txt,1.1,1.2
cvs at intevation.de
cvs at intevation.de
Thu Oct 20 18:30:48 CEST 2005
Author: thomas
Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv610
Modified Files:
kolab-vendor-notice-05.txt
Log Message:
Dropped curl issue.
Kolab Security Issue 05 now handles the possible clamav downgrade
due to the old version in obmtool.conf of Issue 04.
Index: kolab-vendor-notice-05.txt
===================================================================
RCS file: /kolabrepository/doc/www/src/security/kolab-vendor-notice-05.txt,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- kolab-vendor-notice-05.txt 14 Oct 2005 10:50:43 -0000 1.1
+++ kolab-vendor-notice-05.txt 20 Oct 2005 16:30:46 -0000 1.2
@@ -1,50 +1,70 @@
-Kolab Security Issue 05 200510??
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+Kolab Security Issue 05 20051020
================================
-Package: curl
-Vulnerability: libcurl NTLM Buffer Overflow
-Kolab Specific: no
-Dependent Packages: clamav
+Package: clamav
+Vulnerability: buffer overflow, DOS, remotely exploitable
+Kolab Specific: yes
+Dependent Packages: none
Summary
--------
+- -------
-FIXME
+Thorsten Schnebeck informed us on the kolab-users mailing list that the
+obmtool.conf file distributed with Kolab Security Issue 04 20051014 may
+cause a downgrade of clamav to a vulnerable version.
Affected Versions
------------------
+- -----------------
+
+ClamAV-0.86.2 or earlier are affected.
-OpenPKG packages of curl-FIXME earlier are affected.
-Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected.
You can check the installed version with:
-/kolab/bin/openpkg rpm -q curl
+/kolab/bin/openpkg rpm -q clamav
Fixes
------
+- -----
-FIXME
+Upgrade to ClamAV 0.87 again by following the instructions from
+Kolab Security Issue 03 20050921, included here for convenience:
-Install OpenPKG package curl-FIXME
+A new ClamAV RPM is available from the Kolab download mirrors as
+security-updates/20050921/clamav-0.87-20050916.src.rpm
+
+A binary RPM for Debian woody (ix86) is available as
+security-updates/20050921/clamav-0.87-20050916.ix86-debian3.0-kolab.rpm
+
+The mirrors are listed on http://kolab.org/mirrors.html
Details
--------
+- -------
-http://curl.haxx.se/docs/security.html#BID15102
- curl Security vendor page
+http://kolab.org/security/kolab-vendor-notice-03.txt
+ Kolab Security Issue 03 20050921
-http://www.securityfocus.com/bid/15102
- Bugtraq ID 15102
+http://kolab.org/security/kolab-vendor-notice-04.txt
+ Kolab Security Issue 04 20051014
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3185
- Common Vulnerabilities and Exposures (CVE): CAN-2005-3185
+http://kolab.org/pipermail/kolab-users/2005-October/003582.html
+ Thorsten Schnebeck published the problem on kolab-users
Timeline
---------
- 20051012 iDEFENSE Security Advisory [IDEF1202] posted to wget.general
- 20051013 vendor patch and fixed version published
- 200510?? Kolab update and security advisory published
+- --------
+ 20051014 Kolab Security Issue 04 published with incorrect obmtool.conf
+ 20051020 Problem published on kolab-users mailing list
+ 20051020 Problem confirmed and updated security advisory published
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.1 (GNU/Linux)
+
+iD8DBQFDV8XDW7P1GVgWeRoRAprBAJ9dPi5lrXnOOawDv87dO4Cj6HWShQCffJAH
+qz0Y+tXVu7KqTfhPstdTc6I=
+=Pth1
+-----END PGP SIGNATURE-----
More information about the commits
mailing list