[Backports-security-announce] Security Update for clamav

2009-07-20T14:56:17
ID DEBIAN:5B0C409E9CD76D0AAAAF2CEF144B3900:1A617
Type debian
Reporter Debian
Modified 2009-07-20T14:56:17

Description

Sebastian Harl uploaded new packages for clamav which fixed the following security problems:

CVE-2008-6680, DSA-1771-1, Debian bug #523016

Attackers can cause a denial of service (crash) via a crafted EXE
file that triggers a divide-by-zero error.

CVE-2009-1270, DSA-1771-1, Debian bug #523016

Attackers can cause a denial of service (infinite loop) via a
crafted tar file that causes (1) clamd and (2) clamscan to hang.

CVE-2009-1371, DSA-1771-1

Attackers can cause a denial of service (crash) via a crafted EXE
file that crashes the UPack unpacker.

Debian bug #535881

The parsing engine can be bypassed by manipulating CAB, RAR, ZIP
archives in a "certain way" that the Clamav engine cannot extract
the content but the end user is able to.

For the etch-backports distribution the problems have been fixed in version 0.95.2+dfsg-2~bpo40+1.

The lenny-backports distribution does not include clamav packages and, thus, is not affected.

Upgrade instructions

If you don't use pinning [1] you have to update the package manually via "apt-get -t etch-backports install <packagelist>", where <packagelist> is the list of your installed packages affected by this update.

[1] http://backports.org/dokuwiki/doku.php?id=instructions

We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically.

Package: * Pin: release a=etch-backports Pin-Priority: 200