Sebastian Harl uploaded new packages for clamav which fixed the following security problems:
CVE-2008-6680, DSA-1771-1, Debian bug #523016
Attackers can cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error.
CVE-2009-1270, DSA-1771-1, Debian bug #523016
Attackers can cause a denial of service (infinite loop) via a crafted tar file that causes (1) clamd and (2) clamscan to hang.
Attackers can cause a denial of service (crash) via a crafted EXE file that crashes the UPack unpacker.
Debian bug #535881
The parsing engine can be bypassed by manipulating CAB, RAR, ZIP archives in a "certain way" that the Clamav engine cannot extract the content but the end user is able to.
For the etch-backports distribution the problems have been fixed in version 0.95.2+dfsg-2~bpo40+1.
The lenny-backports distribution does not include clamav packages and, thus, is not affected.
If you don't use pinning  you have to update the package manually via "apt-get -t etch-backports install <packagelist>", where <packagelist> is the list of your installed packages affected by this update.
We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically.
Package: * Pin: release a=etch-backports Pin-Priority: 200