Kolab Security Issue 22 (clamav)
Sascha Wilde
wilde at intevation.de
Thu Sep 11 16:23:53 CEST 2008
Kolab Security Issue 22 20080911
================================
Package: Kolab Server, ClamAV
Vulnerability: denial of service
Kolab Specific: no
Dependent Packages: none
Summary
~~~~~~~
Various unspecified memory corruption vulnerabilities and a bug in the
chm parser allowed remote attackers to cause a denial of service.
Further unknown attack vectors might exist.
Affected Versions
~~~~~~~~~~~~~~~~~
This affects versions of ClamAV up to version 0.93.1
Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected.
Kolab Server 2.2.0 and previous prereleases are affected.
Fix
~~~
Upgrade to ClamAV 0.94.
The ClamAV source RPM patched to be compilable with Kolab Server 2.1 and 2.0
is available from the Kolab download mirrors as:
security-updates/20080911/clamav-0.94-20080905_kolab.src.rpm
For Kolab Server 2.2.0 the unmodified OpenPKG rpm can be used:
security-updates/20080911/clamav-0.94-20080905.src.rpm
A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux Sarge) is available:
security-updates/20080911/clamav-0.94-20080905_kolab.ix86-debian3.1-kolab.rpm
A binary RPM for Kolab Server 2.2.0 (ix86 Debian GNU/Linux Etch)
is available from:
security-updates/20080911/clamav-0.94-20080905_kolab.ix86-debian4.0-kolab.rpm
All other server versions: Please build from the src.rpm.
The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080911/clamav-0.94-20080905_kolab.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080911/clamav-0.94-20080905_kolab.ix86-debian3.1-kolab.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080911/clamav-0.94-20080905.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080911/clamav-0.94-20080905.ix86-debian4.0-kolab.rpm .
MD5 sums:
35acf995ef8927a8ea76afb8502eb648 clamav-0.94-20080905.ix86-debian4.0-kolab.rpm
0b6be1bf21deef9de8582a56d330aaef clamav-0.94-20080905.src.rpm
67ffd197c991b5d1dc83520a91b5ff57 clamav-0.94-20080905_kolab.ix86-debian3.1-kolab.rpm
0b7d3a2a22f9a2c2e12bc0b14cc3b800 clamav-0.94-20080905_kolab.src.rpm
The package can be installed on your Kolab Server with
# /kolab/bin/openpkg rpm --rebuild clamav-0.93.1-20080610_kolab.src.rpm
# /kolab/bin/openpkg rpm \
-Uvh /kolab/RPM/PKG/clamav-0.93.1-20080610_kolab.<ARCH>-<OS>-kolab.rpm
# rm /kolab/etc/clamav/*.rpmsave
# /kolab/bin/openpkg rc clamav stop
# /kolab/bin/openpkg rc clamav start
# su - kolab-r
$ freshclam
$ rm -r /kolab/share/clamav/*.inc
For Kolab Server 2.0.4 you have to copy the new /kolab/etc/clamav/clamd.conf
to /kolab/etc/kolab/templates/clamd.conf.template so it will not be
overwritten by kolabconf. Do NOT copy this file with Kolab Server 2.1 or 2.2!
Details
~~~~~~~
http://sourceforge.net/project/shownotes.php?release_id=623661&group_id=86638
ClamAV 0.94 release notes
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1389
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1089
clamav chm handler: crasher bugs
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3912
http://www.securityfocus.com/bid/31051
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1141
DOS related to out-of-memory in libclamav
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3913
http://www.securityfocus.com/bid/31051
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1141
DOS caused by multiple memory leaks in freshclam/manager.c
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3914
http://www.securityfocus.com/bid/31051
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1141
Multiple unspecified vulnerabilities with unknown impact
Timeline
~~~~~~~~
20080902 ClamAV release 0.94.
20080905 OpenPKG 0.94 package release.
20080905 Kolab Bug Tracker Issue created.
20080611 Kolab Server security advisory published.
--
Sascha Wilde OpenPGP key: 4BB86568
Intevation GmbH, Osnabrück http://www.intevation.de/~wilde/
Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/users/attachments/20080911/ce7a05d0/attachment.sig>
More information about the users
mailing list