Kolab Security Issue 15 20070601 (clamav)
Thomas Arendsen Hein
thomas at intevation.de
Fri Jun 1 18:14:39 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kolab Security Issue 15 20070601
================================
Package: Kolab Server, ClamAV
Vulnerability: denial of service, insecure temporary files
Kolab Specific: no
Dependent Packages: none
Summary
~~~~~~~
- libclamav/unsp.c: fix end of buffer calculation (bb#464, patch from aCaB)
- libclamav/others.c: use strict permissions (0600) for temporary files
created in cli_gentempstream() (bb#517). Reported by Christoph Probst.
- libclamav/unrar/unrar.c: heap corruption causing DoS with corrupted
rar archive, better handle truncated files
- libclamav/phishcheck.c: isURL() regex execution hangs on Solaris
- libclamav/ole2_extract.c: detect block list loop (bb#466), patch from Trog
Affected Versions
~~~~~~~~~~~~~~~~~
This affects versions of ClamAV up to version 0.90.2.
Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected,
please upgrade to Kolab Server 2.1.0 first.
Fix
~~~
Upgrade to ClamAV 0.90.3.
The ClamAV source RPM is available from the Kolab download mirrors as:
security-updates/20070601/clamav-0.90.3-20070531_kolab.src.rpm
A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux Sarge) is available:
security-updates/20070601/clamav-0.90.3-20070531_kolab.ix86-debian3.1-kolab.rpm
All other server versions: Please build from the src.rpm.
The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20070601/clamav-0.90.3-20070531_kolab.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20070601/clamav-0.90.3-20070531_kolab.ix86-debian3.1-kolab.rpm .
MD5 sums:
1af188d728d10d9df9708a2ab3e89e78 clamav-0.90.3-20070531_kolab.ix86-debian3.1-kolab.rpm
53097670b452fdab2c20193d27d1c479 clamav-0.90.3-20070531_kolab.src.rpm
The package can be installed on your Kolab Server with
# /kolab/bin/openpkg rpm --rebuild clamav-0.90.3-20070531_kolab.src.rpm
# /kolab/bin/openpkg rpm \
-Uvh /kolab/RPM/PKG/clamav-0.90.3-20070531_kolab.<ARCH>-<OS>-kolab.rpm
# su - kolab-r
$ freshclam
Details
~~~~~~~
http://sourceforge.net/project/shownotes.php?release_id=512356
ClamAV 0.90.3 release notes
Timeline
~~~~~~~~
20070530 ClamAV release 0.90.3.
20070531 OpenPKG 0.90.3 package release.
20070601 Kolab Server security advisory published.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFGYEUqW7P1GVgWeRoRAi5jAJ4zw3zAH6qcg2Z3p3aMBewaayEntwCghcvi
uQqR9EIOgrBcdgjdrp8Cnow=
=UJ7k
-----END PGP SIGNATURE-----
--
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
More information about the users
mailing list