Sebastian Harl uploaded new packages for clamav which fixed the
following security problems:
CVE-2008-6680, DSA-1771-1, Debian bug #523016
Attackers can cause a denial of service (crash) via a crafted EXE
file that triggers a divide-by-zero error.
CVE-2009-1270, DSA-1771-1, Debian bug #523016
Attackers can cause a denial of service (infinite loop) via a
crafted tar file that causes (1) clamd and (2) clamscan to hang.
CVE-2009-1371, DSA-1771-1
Attackers can cause a denial of service (crash) via a crafted EXE
file that crashes the UPack unpacker.
Debian bug #535881
The parsing engine can be bypassed by manipulating CAB, RAR, ZIP
archives in a "certain way" that the Clamav engine cannot extract
the content but the end user is able to.
For the etch-backports distribution the problems have been fixed in
version 0.95.2+dfsg-2~bpo40+1.
The lenny-backports distribution does not include clamav packages and,
thus, is not affected.
If you don't use pinning [1] you have to update the package manually via
"apt-get -t etch-backports install <packagelist>", where <packagelist>
is the list of your installed packages affected by this update.
[1] http://backports.org/dokuwiki/doku.php?id=instructions
We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically.
Package: *
Pin: release a=etch-backports
Pin-Priority: 200