[Kolab-devel] Security Advisory 09 for Kolab Server (CVE-2006-1989, ClamAV)

Bernhard Reiter bernhard at intevation.de
Tue May 16 19:22:04 CEST 2006

www.kolab-konsortium.com  Professional Maintenance, Consultancy and Support.
-------------- next part --------------
Kolab Security Issue 09 20060516

Package:              Kolab Server
Vulnerability:        buffer overflow, remotely exploitable (CVE-2006-1989)
Kolab Specific:       no
Dependent Packages:   none
Impact: 	      high


The Clam AntiVirus package's freshclam component has a buffer overflow
that can be exploited remotely.

Freshclam fetches updates via HTTP. A specially prepared HTTP server 
could be used by an attacker to exploit the buffer overflow.
By means of DNS poisoning freshclam could be pointed to such a bogus server.

Affected Versions

This affects all servers which have ClamAV 0.80 up to 0.88.1 running.
Kolab Servers 2.0.3, Kolab Server 2.1beta1 are vulnerable.
Previous releases are affected.


Upgrade to ClamAV 0.88.2.

A new ClamAV RPM is available from the Kolab download mirrors as

In addition a binary RPM for (ix86 Debian GNU/Linux Sarge) is available:
Kolab Server 2.0.3 (Sarge)

All other Server versions: Please build from the src.rpm.

The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tzv rsync://rsync.kolab.org/kolab/server/security-updates/20060616/clamav-0.88.2-20060430.src.rpm .

MD5 sums:
bce57f67d9549087f4f1b88313fcf237  clamav-0.88.2-20060430.src.rpm
8d646b130ed9f166ed16a589776406e4  clamav-0.88.2-20060430.ix86-debian3.1-kolab.rpm

The package can be installed on your Kolab Server with

# /kolab/bin/openpkg rpm --rebuild clamav-0.88.2-20060430.src.rpm
# /kolab/bin/openpkg rpm \
  -Uvh /kolab/RPM/PKG/clamav-0.88.2-20060430.<ARCH>-<OS>-kolab.rpm

The installation process will likely leave a freshclam.conf.rpmsave or
clamd.conf.rpmsave in /kolab/etc/clamav/.  Since freshclam.conf and
clamd.conf are generated files, remove the rpmsave files, run kolabconf
and make sure clamav starts.  E.g.

# rm /kolab/etc/clamav/clamd.conf.rpmsave
# /kolab/sbin/kolabconf
# /kolab/etc/rc clamav start

Optionally update the virus signature files manually right away as test:
# /kolab/bin/freshclam


	ClamAV 0.88.2 release notes

    20060429 ClamAV security release 0.88.2, announced as "Moderate risk".
    20060430 OpenPKG 0.88.2 package release as in section CUR/SRC/PLUS.
    20060516 Security assessment for Kolab Server by Martin Konold.
    20060516 Kolab Server tests, update and security advisory published.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/devel/attachments/20060516/58781c48/attachment.sig>

More information about the devel mailing list