Kolab Security Issue 25 20091117 (clamav)
Thomas Arendsen Hein
thomas at intevation.de
Tue Nov 17 17:18:25 CET 2009
Kolab Security Issue 25 20091117
================================
Package: Kolab Server, ClamAV
Vulnerability: various
Kolab Specific: no
Dependent Packages: none
Summary
~~~~~~~
ClamAV is prone to multiple vulnerabilities because it fails to properly
restrict certain files after scanning them. A successful attack may allow
malicious users to bypass security restrictions placed on certain files.
Further unpublished vulnerabilities may habe been fixed.
Affected Versions
~~~~~~~~~~~~~~~~~
This affects versions of ClamAV up to version 0.95.1
Kolab Server 2.2.2 and previous releases are affected.
Fix
~~~
Upgrade to ClamAV 0.95.3.
OpenPKG packages for Kolab Server 2.2.2 are available from
http://files.kolab.org/server/security-updates/20091117/
or from the mirrors listed on http://kolab.org/mirrors.html
A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Lenny)
is available as clamav-0.95.3-20091030.ix86-debian5.0-kolab.rpm
A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Etch)
is available as clamav-0.95.3-20091030.ix86-debian4.0-kolab.rpm
The source and binary packages have been verified to work with Kolab Server
2.2.0, so you can upgrade this package without doing a full upgrade.
All other server versions: Please upgrade to Kolab Server 2.2.x and install
the updated package.
You can check the integrity of the downloaded files with:
$ gpg --keyserver keys.gnupg.net --recv-key 5816791A
or import the key from https://www.intevation.de/~thomas/gpg_pub_key.asc
$ gpg --verify SHA1SUMS.sig
$ sha1sum -c SHA1SUMS
The source package can be compiled and installed on your Kolab Server with:
# su - kolab
$ openpkg rpm --rebuild ...path/to.../clamav-0.95.3-20091030.src.rpm
$ openpkg rpm -Uvh /kolab/RPM/PKG/clamav-0.95.3-20091030.<ARCH>-<OS>-kolab.rpm
$ rm /kolab/etc/clamav/*.rpmsave
$ openpkg rc clamav stop
$ openpkg rc clamav start
$ exit
# su - kolab-r
$ freshclam
$ rm -r /kolab/share/clamav/*.inc
To install a binary package, just skip the --rebuild step.
Details
~~~~~~~
http://sourceforge.net/project/shownotes.php?release_id=688880
ClamAV 0.95.2 release notes
(bugfix release, only the ChangeLog has been published)
ClamAV 0.95.3 release notes
http://www.securityfocus.com/bid/35426
ClamAV CAB/RAR/ZIP File Scan Evasion Vulnerability
http://www.securityfocus.com/bid/35398
ClamAV Embedded Archive File Scan Evasion Vulnerability
http://www.securityfocus.com/bid/35410
ClamAV Prior to 0.95.2 Multiple Scanner Bypass Vulnerabilities
Timeline
~~~~~~~~
20090610 ClamAV release 0.95.2.
20091028 ClamAV release 0.95.3.
20091030 Update available via Kolab CVS, started testing.
20091117 Kolab Server security advisory published.
--
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/users/attachments/20091117/5c42abb3/attachment.sig>
More information about the users
mailing list