List Info

Thread: Kolab Security Issue 18 20080109 (clamav)
Kolab Security Issue 18 20080109 (clamav)
user name
 2008-01-09 11:07:39 
Kolab Security Issue 18 20080109
================================

Package:              Kolab Server, ClamAV
Vulnerability:        various
Kolab Specific:       no
Dependent Packages:   none


Summary
~~~~~~~

CVE-2007-6335

    It was discovered that an integer overflow in the
decompression code
    for MEW archives may lead to the execution of arbitrary
code.

CVE-2007-6336

    It was discovered that on off-by-one in the MS-ZIP
decompression
    code may lead to the execution of arbitrary code.

CVE-2007-6337

    Unspecified vulnerability in the bzip2 decompression
algorithm in
    nsis/bzlib_private.h


Affected Versions
~~~~~~~~~~~~~~~~~

This affects versions of ClamAV up to version 0.91.2.
Kolab Server 2.1.0 and previous releases of the 2.1 branch
are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch
are affected.
Kolab Server 2.2-beta3 and previous prereleases are
affected.


Fix
~~~

Upgrade to ClamAV 0.92.

The ClamAV source RPM patched to be compilable with Kolab
Server 2.1 and 2.0
is available from the Kolab download mirrors as:
security-updates/20080109/clamav-0.92-20080101_kolab.src.rpm


A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux
Sarge) is available:
security-updates/20080109/clamav-0.92-20080101_kolab.ix86-de
bian3.1-kolab.rpm

All other server versions: Please build from the src.rpm.
For Kolab Server 2.2-beta3 the unmodified OpenPKG rpm can be
used:
security-updates/20080109/clamav-0.92-20080101.src.rpm


The mirrors are listed on http://kolab.org/mirror
s.html
While the mirrors are catching up, you can also get the
package via rsync:
# rsync -tvP
rsync://rsync.kolab.org/kolab/server/security-updates/200801
09/clamav-0.92-20080101_kolab.src.rpm .
# rsync -tvP
rsync://rsync.kolab.org/kolab/server/security-updates/200801
09/clamav-0.92-20080101_kolab.ix86-debian3.1-kolab.rpm .
# rsync -tvP
rsync://rsync.kolab.org/kolab/server/security-updates/200801
09/clamav-0.92-20080101.src.rpm .

MD5 sums:
ad61c36b1d84aaa06e734fa02e13923b 
clamav-0.92-20080101.src.rpm
3fe0e99160eea9816e55630378cd79d8 
clamav-0.92-20080101_kolab.ix86-debian3.1-kolab.rpm
91094b48f22958536685eb29c786ea4f 
clamav-0.92-20080101_kolab.src.rpm


The package can be installed on your Kolab Server with

# /kolab/bin/openpkg rpm --rebuild
clamav-0.92-20080101_kolab.src.rpm
# /kolab/bin/openpkg rpm 
  -Uvh
/kolab/RPM/PKG/clamav-0.92-20080108_kolab.<ARCH>-<O
S>-kolab.rpm
# rm /kolab/etc/clamav/*.rpmsave
# /kolab/bin/openpkg rc clamav start
# su - kolab-r
$ freshclam

For Kolab Server 2.0.4 you have to copy the new
/kolab/etc/clamav/clamd.conf
to /kolab/etc/kolab/templates/clamd.conf.template so it will
not be
overwritten by kolabconf. Do NOT copy this file with Kolab
Server 2.1 or 2.2!


Details
~~~~~~~

http://sourceforge.net/project/shownotes.php?relea
se_id=562254
	ClamAV 0.92 release notes

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200
7-6335
	CVE-2007-6335

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200
7-6336
	CVE-2007-6336

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200
7-6337
	CVE-2007-6337


Timeline
~~~~~~~~
    20071217 ClamAV release 0.92.
    20071217 OpenPKG 0.92 package release.
    20080109 Kolab Server security advisory published.

-- 
thomasintevation.de - http://intevation.de/~t
homas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Osnabrueck - Register: Amtsgericht
Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr.
Jan-Oliver Wagner

_______________________________________________
Kolab-announce mailing list
Kolab-announcekolab.org
htt
ps://kolab.org/mailman/listinfo/kolab-announce
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )