thomas: doc/www/src/security kolab-vendor-notice-21.txt,NONE,1.1

cvs at kolab.org cvs at kolab.org
Wed Jun 18 18:03:47 CEST 2008


Author: thomas

Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv29044

Added Files:
	kolab-vendor-notice-21.txt 
Log Message:
Kolab Security Issue 21 20080618 (clamav)


--- NEW FILE: kolab-vendor-notice-21.txt ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kolab Security Issue 21 20080618
================================

Package:              Kolab Server, ClamAV
Vulnerability:        denial of service
Kolab Specific:       no
Dependent Packages:   none


Summary
~~~~~~~

Damian Put reported a problem in ClamAV's code to decompress executables
created by the Petite packer, which causes invalid memory access.


Affected Versions
~~~~~~~~~~~~~~~~~

This affects versions of ClamAV up to version 0.93
Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected.
Kolab Server 2.2-rc3 and previous prereleases are affected.


Fix
~~~

Upgrade to ClamAV 0.93.1.

The ClamAV source RPM patched to be compilable with Kolab Server 2.1 and 2.0
is available from the Kolab download mirrors as:
security-updates/20080618/clamav-0.93.1-20080610_kolab.src.rpm

For Kolab Server 2.2 release candidates the unmodified OpenPKG rpm can be used:
security-updates/20080618/clamav-0.93.1-20080610.src.rpm

A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux Sarge) is available:
security-updates/20080618/clamav-0.93.1-20080610_kolab.ix86-debian3.1-kolab.rpm

A binary RPM for Kolab Server 2.2 release candidates (ix86 Debian GNU/Linux
Etch) is available from:
security-updates/20080618/clamav-0.93.1-20080610_kolab.ix86-debian4.0-kolab.rpm

All other server versions: Please build from the src.rpm.


The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080618/clamav-0.93.1-20080610_kolab.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080618/clamav-0.93.1-20080610_kolab.ix86-debian3.1-kolab.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080618/clamav-0.93.1-20080610.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080618/clamav-0.93.1-20080610.ix86-debian4.0-kolab.rpm .

MD5 sums:
15a088fcdcd8af3513c38afe69a69d2b  clamav-0.93.1-20080610.ix86-debian4.0-kolab.rpm
57d5566041ee8f771673be894de8c00f  clamav-0.93.1-20080610.src.rpm
9c7d90027b3c4a923be2269f7a91fd3e  clamav-0.93.1-20080610_kolab.ix86-debian3.1-kolab.rpm
7d7e51d550282eff0eeb9c0eb34bb446  clamav-0.93.1-20080610_kolab.src.rpm


The package can be installed on your Kolab Server with

# /kolab/bin/openpkg rpm --rebuild clamav-0.93.1-20080610_kolab.src.rpm
# /kolab/bin/openpkg rpm \
  -Uvh /kolab/RPM/PKG/clamav-0.93.1-20080610_kolab.<ARCH>-<OS>-kolab.rpm
# rm /kolab/etc/clamav/*.rpmsave
# /kolab/bin/openpkg rc clamav stop
# /kolab/bin/openpkg rc clamav start
# su - kolab-r
$ freshclam
$ rm -r /kolab/share/clamav/*.inc

For Kolab Server 2.0.4 you have to copy the new /kolab/etc/clamav/clamd.conf
to /kolab/etc/kolab/templates/clamd.conf.template so it will not be
overwritten by kolabconf. Do NOT copy this file with Kolab Server 2.1 or 2.2!


Details
~~~~~~~

http://sourceforge.net/project/shownotes.php?group_id=86638&release_id=605577
	ClamAV 0.93.1 release notes

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1000
	Entry in the ClamAV bug database

http://www.heise.de/security/news/meldung/109606
http://www.heise-online.co.uk/news/110947
	News about DoS vulnerability on Heise security


Timeline
~~~~~~~~
    20080609 ClamAV release 0.93.1.
    20080610 OpenPKG 0.93.1 package release.
    20080618 News on Heise security.
    20080618 Kolab Server security advisory published.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIWTGoW7P1GVgWeRoRAkVXAJkB3auxvbF/zLgH3ZHlBVMZcm1l1QCfVWDW
uLIP3f55t29BhShwdoV8RJY=
=reZg
-----END PGP SIGNATURE-----





More information about the commits mailing list