[Kolab-devel] Kolab Security Issue 15 20070601 (clamav)

Thomas Arendsen Hein thomas at intevation.de
Fri Jun 1 18:14:39 CEST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kolab Security Issue 15 20070601
================================

Package:              Kolab Server, ClamAV
Vulnerability:        denial of service, insecure temporary files
Kolab Specific:       no
Dependent Packages:   none


Summary
~~~~~~~

 - libclamav/unsp.c: fix end of buffer calculation (bb#464, patch from aCaB)
 - libclamav/others.c: use strict permissions (0600) for temporary files
   created in cli_gentempstream() (bb#517). Reported by Christoph Probst.
 - libclamav/unrar/unrar.c: heap corruption causing DoS with corrupted
   rar archive, better handle truncated files
 - libclamav/phishcheck.c: isURL() regex execution hangs on Solaris
 - libclamav/ole2_extract.c: detect block list loop (bb#466), patch from Trog


Affected Versions
~~~~~~~~~~~~~~~~~

This affects versions of ClamAV up to version 0.90.2.
Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected,
please upgrade to Kolab Server 2.1.0 first.


Fix
~~~

Upgrade to ClamAV 0.90.3.

The ClamAV source RPM is available from the Kolab download mirrors as:
security-updates/20070601/clamav-0.90.3-20070531_kolab.src.rpm

A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux Sarge) is available:
security-updates/20070601/clamav-0.90.3-20070531_kolab.ix86-debian3.1-kolab.rpm

All other server versions: Please build from the src.rpm.


The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20070601/clamav-0.90.3-20070531_kolab.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20070601/clamav-0.90.3-20070531_kolab.ix86-debian3.1-kolab.rpm .

MD5 sums:
1af188d728d10d9df9708a2ab3e89e78  clamav-0.90.3-20070531_kolab.ix86-debian3.1-kolab.rpm
53097670b452fdab2c20193d27d1c479  clamav-0.90.3-20070531_kolab.src.rpm


The package can be installed on your Kolab Server with

# /kolab/bin/openpkg rpm --rebuild clamav-0.90.3-20070531_kolab.src.rpm
# /kolab/bin/openpkg rpm \
  -Uvh /kolab/RPM/PKG/clamav-0.90.3-20070531_kolab.<ARCH>-<OS>-kolab.rpm
# su - kolab-r
$ freshclam


Details
~~~~~~~

http://sourceforge.net/project/shownotes.php?release_id=512356
	ClamAV 0.90.3 release notes


Timeline
~~~~~~~~
    20070530 ClamAV release 0.90.3.
    20070531 OpenPKG 0.90.3 package release.
    20070601 Kolab Server security advisory published.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFGYEUqW7P1GVgWeRoRAi5jAJ4zw3zAH6qcg2Z3p3aMBewaayEntwCghcvi
uQqR9EIOgrBcdgjdrp8Cnow=
=UJ7k
-----END PGP SIGNATURE-----

-- 
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

More information about the devel mailing list