[Kolab-devel] Kolab Security Issue 20 20080416 (clamav)

Thomas Arendsen Hein thomas at intevation.de
Wed Apr 16 17:25:23 CEST 2008


Kolab Security Issue 20 20080416
================================

Package:              Kolab Server, ClamAV
Vulnerability:        various
Kolab Specific:       no
Dependent Packages:   none


Summary
~~~~~~~

Various vulnerabilities, some allowing remote attackers to execute arbitrary
code, others causing a denial of service, have been found in ClamAV.


Affected Versions
~~~~~~~~~~~~~~~~~

This affects versions of ClamAV up to version 0.92.1
Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected.
Kolab Server 2.2-rc2 and previous prereleases are affected.


Fix
~~~

Upgrade to ClamAV 0.93.

The ClamAV source RPM patched to be compilable with Kolab Server 2.1 and 2.0
is available from the Kolab download mirrors as:
security-updates/20080416/clamav-0.93-20080414_kolab.src.rpm

For Kolab Server 2.2-rc1 and -rc2 the unmodified OpenPKG rpm can be used:
security-updates/20080416/clamav-0.93-20080414.src.rpm

A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux Sarge) is available:
security-updates/20080416/clamav-0.93-20080414_kolab.ix86-debian3.1-kolab.rpm

A binary RPM for Kolab Server 2.2-rc1 and rc2 (ix86 Debian GNU/Linux Etch) is
available from:
security-updates/20080416/clamav-0.93-20080414_kolab.ix86-debian4.0-kolab.rpm

All other server versions: Please build from the src.rpm.


The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080416/clamav-0.93-20080414_kolab.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080416/clamav-0.93-20080414_kolab.ix86-debian3.1-kolab.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080416/clamav-0.93-20080414.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080416/clamav-0.93-20080414.ix86-debian4.0-kolab.rpm .

MD5 sums:
3f4a1e82a83ad3122e72744653c4d5d0  clamav-0.93-20080414.ix86-debian4.0-kolab.rpm
35c11b1f4e56b5b7169a52521f24dbdb  clamav-0.93-20080414.src.rpm
34f2a4853eab14c83559c80dd2b619c5  clamav-0.93-20080414_kolab.ix86-debian3.1-kolab.rpm
21ff5b7812d27bc22f4e808d93d68714  clamav-0.93-20080414_kolab.src.rpm


The package can be installed on your Kolab Server with

# /kolab/bin/openpkg rpm --rebuild clamav-0.93-20080414_kolab.src.rpm
# /kolab/bin/openpkg rpm \
  -Uvh /kolab/RPM/PKG/clamav-0.93-20080414_kolab.<ARCH>-<OS>-kolab.rpm
# rm /kolab/etc/clamav/*.rpmsave
# /kolab/bin/openpkg rc clamav stop
# /kolab/bin/openpkg rc clamav start
# su - kolab-r
$ freshclam
$ rm -r /kolab/share/clamav/*.inc

For Kolab Server 2.0.4 you have to copy the new /kolab/etc/clamav/clamd.conf
to /kolab/etc/kolab/templates/clamd.conf.template so it will not be
overwritten by kolabconf. Do NOT copy this file with Kolab Server 2.1 or 2.2!


Details
~~~~~~~

http://sourceforge.net/project/shownotes.php?release_id=592112&group_id=86638
	ClamAV 0.93 release notes

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=876
	PeSpin Heap Overflow Vulnerability

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=877
	WWPack Heap Overflow Vulnerability

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=878
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1100
	Upack Buffer Overflow Vulnerability (CVE-2008-1100)

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=897
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1387
	ARJ: Sample from CERT-FI hangs clamav (CVE-2008-1387)


Timeline
~~~~~~~~
    20080414 ClamAV release 0.93.
    20080414 OpenPKG 0.93 package release.
    20080416 Kolab Server security advisory published.

-- 
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/devel/attachments/20080416/931f9d41/attachment.sig>


More information about the devel mailing list