Kolab Security Issue 18 20080109 (clamav)
Thomas Arendsen Hein
thomas at intevation.de
Wed Jan 9 18:07:39 CET 2008
Kolab Security Issue 18 20080109
================================
Package: Kolab Server, ClamAV
Vulnerability: various
Kolab Specific: no
Dependent Packages: none
Summary
~~~~~~~
CVE-2007-6335
It was discovered that an integer overflow in the decompression code
for MEW archives may lead to the execution of arbitrary code.
CVE-2007-6336
It was discovered that on off-by-one in the MS-ZIP decompression
code may lead to the execution of arbitrary code.
CVE-2007-6337
Unspecified vulnerability in the bzip2 decompression algorithm in
nsis/bzlib_private.h
Affected Versions
~~~~~~~~~~~~~~~~~
This affects versions of ClamAV up to version 0.91.2.
Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected.
Kolab Server 2.2-beta3 and previous prereleases are affected.
Fix
~~~
Upgrade to ClamAV 0.92.
The ClamAV source RPM patched to be compilable with Kolab Server 2.1 and 2.0
is available from the Kolab download mirrors as:
security-updates/20080109/clamav-0.92-20080101_kolab.src.rpm
A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux Sarge) is available:
security-updates/20080109/clamav-0.92-20080101_kolab.ix86-debian3.1-kolab.rpm
All other server versions: Please build from the src.rpm.
For Kolab Server 2.2-beta3 the unmodified OpenPKG rpm can be used:
security-updates/20080109/clamav-0.92-20080101.src.rpm
The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080109/clamav-0.92-20080101_kolab.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080109/clamav-0.92-20080101_kolab.ix86-debian3.1-kolab.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080109/clamav-0.92-20080101.src.rpm .
MD5 sums:
ad61c36b1d84aaa06e734fa02e13923b clamav-0.92-20080101.src.rpm
3fe0e99160eea9816e55630378cd79d8 clamav-0.92-20080101_kolab.ix86-debian3.1-kolab.rpm
91094b48f22958536685eb29c786ea4f clamav-0.92-20080101_kolab.src.rpm
The package can be installed on your Kolab Server with
# /kolab/bin/openpkg rpm --rebuild clamav-0.92-20080101_kolab.src.rpm
# /kolab/bin/openpkg rpm \
-Uvh /kolab/RPM/PKG/clamav-0.92-20080108_kolab.<ARCH>-<OS>-kolab.rpm
# rm /kolab/etc/clamav/*.rpmsave
# /kolab/bin/openpkg rc clamav start
# su - kolab-r
$ freshclam
For Kolab Server 2.0.4 you have to copy the new /kolab/etc/clamav/clamd.conf
to /kolab/etc/kolab/templates/clamd.conf.template so it will not be
overwritten by kolabconf. Do NOT copy this file with Kolab Server 2.1 or 2.2!
Details
~~~~~~~
http://sourceforge.net/project/shownotes.php?release_id=562254
ClamAV 0.92 release notes
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6335
CVE-2007-6335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6336
CVE-2007-6336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6337
CVE-2007-6337
Timeline
~~~~~~~~
20071217 ClamAV release 0.92.
20071217 OpenPKG 0.92 package release.
20080109 Kolab Server security advisory published.
--
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/users/attachments/20080109/4d17654b/attachment.sig>
More information about the users
mailing list