-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kolab Security Issue 15 20070601
================================
Package: Kolab Server, ClamAV
Vulnerability: denial of service, insecure temporary
files
Kolab Specific: no
Dependent Packages: none
Summary
~~~~~~~
- libclamav/unsp.c: fix end of buffer calculation (bb#464,
patch from aCaB)
- libclamav/others.c: use strict permissions (0600) for
temporary files
created in cli_gentempstream() (bb#517). Reported by
Christoph Probst.
- libclamav/unrar/unrar.c: heap corruption causing DoS with
corrupted
rar archive, better handle truncated files
- libclamav/phishcheck.c: isURL() regex execution hangs on
Solaris
- libclamav/ole2_extract.c: detect block list loop
(bb#466), patch from Trog
Affected Versions
~~~~~~~~~~~~~~~~~
This affects versions of ClamAV up to version 0.90.2.
Kolab Server 2.1.0 and previous releases of the 2.1 branch
are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch
are affected,
please upgrade to Kolab Server 2.1.0 first.
Fix
~~~
Upgrade to ClamAV 0.90.3.
The ClamAV source RPM is available from the Kolab download
mirrors as:
security-updates/20070601/clamav-0.90.3-20070531_kolab.src.r
pm
A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux
Sarge) is available:
security-updates/20070601/clamav-0.90.3-20070531_kolab.ix86-
debian3.1-kolab.rpm
All other server versions: Please build from the src.rpm.
The mirrors are listed on http://kolab.org/mirror
s.html
While the mirrors are catching up, you can also get the
package via rsync:
# rsync -tvP
rsync://rsync.kolab.org/kolab/server/security-updates/200706
01/clamav-0.90.3-20070531_kolab.src.rpm .
# rsync -tvP
rsync://rsync.kolab.org/kolab/server/security-updates/200706
01/clamav-0.90.3-20070531_kolab.ix86-debian3.1-kolab.rpm .
MD5 sums:
1af188d728d10d9df9708a2ab3e89e78
clamav-0.90.3-20070531_kolab.ix86-debian3.1-kolab.rpm
53097670b452fdab2c20193d27d1c479
clamav-0.90.3-20070531_kolab.src.rpm
The package can be installed on your Kolab Server with
# /kolab/bin/openpkg rpm --rebuild
clamav-0.90.3-20070531_kolab.src.rpm
# /kolab/bin/openpkg rpm
-Uvh
/kolab/RPM/PKG/clamav-0.90.3-20070531_kolab.<ARCH>-<
;OS>-kolab.rpm
# su - kolab-r
$ freshclam
Details
~~~~~~~
http://sourceforge.net/project/shownotes.php?relea
se_id=512356
ClamAV 0.90.3 release notes
Timeline
~~~~~~~~
20070530 ClamAV release 0.90.3.
20070531 OpenPKG 0.90.3 package release.
20070601 Kolab Server security advisory published.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFGYEUqW7P1GVgWeRoRAi5jAJ4zw3zAH6qcg2Z3p3aMBewaayEntwCg
hcvi
uQqR9EIOgrBcdgjdrp8Cnow=
=UJ7k
-----END PGP SIGNATURE-----
--
thomas intevation.de - http://intevation.de/~t
homas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Osnabrueck - Register: Amtsgericht
Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr.
Jan-Oliver Wagner
_______________________________________________
Kolab-announce mailing list
Kolab-announcekolab.org
htt
ps://kolab.org/mailman/listinfo/kolab-announce
|