[Pkg-clamav-devel] Bug#888484: marked as done (clamav: Security release 0.99.3 available (CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380))

[Debian Bug Tracking System]

Your message dated Sun, 28 Jan 2018 22:03:13 +0000
with message-id <e1efv2f-0007ev...@fasolo.debian.org>
and subject line Bug#888484: fixed in clamav 0.99.2+dfsg-0+deb8u3
has caused the Debian Bug report #888484,
regarding clamav: Security release 0.99.3 available (CVE-2017-12374 
CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 
CVE-2017-12380)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
888484: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: clamav
Version: 0.99.2+dfsg-0+deb8u2
Severity: important

0.99.3 has been released, see 
http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html.

This fixed a number of overflow bugs, each of which has assigned CVE numbers
due to the potential for denial of service.

We've have started seeing unexpected clamd crashes on a high-traffic mail
system today, though I've been unable to isolate a test case. It's seems like
too much of a coincidence that these crashes start happening the day after a
security release was announced. We've implemented mitigations but an updated
package would be even better.

Cheers!
Rob N.


-- Package-specific info:
--- configuration ---
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamav.log"
StatsHostID = "auto"
StatsEnabled disabled
StatsPEDisabled = "yes"
StatsTimeout = "10"
LogFileUnlock disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogClean disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
PidFile disabled
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "15"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "12"
ReadTimeout = "180"
CommandReadTimeout = "5"
SendBufTimeout = "200"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "3600"
DisableCache disabled
VirusEvent disabled
ExitOnOOM disabled
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamav"
AllowSupplementaryGroups disabled
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "60000"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
AlgorithmicDetection = "yes"
ScanPE = "yes"
ScanELF = "yes"
DetectBrokenExecutables disabled
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak disabled
PhishingAlwaysBlockSSLMismatch disabled
PartitionIntersection disabled
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
OLE2BlockMacros disabled
ScanPDF = "yes"
ScanSWF = "yes"
ScanXMLDOCS = "yes"
ScanHWP3 = "yes"
ScanArchive = "yes"
ArchiveBlockEncrypted disabled
ForceToDisk disabled
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxFiles = "10000"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxZipTypeRcg = "1048576"
MaxPartitions = "50"
MaxIconsPE = "100"
MaxRecHWP3 = "16"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"
ScanOnAccess disabled
OnAccessMountPath disabled
OnAccessIncludePath disabled
OnAccessExcludePath disabled
OnAccessExcludeUID disabled
OnAccessMaxFileSize = "5242880"
OnAccessDisableDDD disabled
OnAccessPrevention disabled
OnAccessExtraScanning disabled
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled

Config file: freshclam.conf
---------------------------
StatsHostID disabled
StatsEnabled disabled
StatsTimeout disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
PidFile disabled
DatabaseDirectory = "/var/lib/clamav"
Foreground disabled
Debug disabled
AllowSupplementaryGroups disabled
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "clamav"
Checks = "24"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
PrivateMirror disabled
MaxAttempts = "5"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
DatabaseCustomURL disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamav/clamd.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout = "30"
SubmitDetectionStats disabled
DetectionStatsCountry disabled
DetectionStatsHostID disabled
SafeBrowsing disabled
Bytecode = "yes"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.99.2
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 
LIBXML2 PCRE ICONV JSON RAR JIT

Database information
--------------------
Database directory: /var/lib/clamav
bytecode.cld: version 283, sigs: 53, built on Thu Jun 23 15:01:37 2016
daily.cld: version 22385, sigs: 730021, built on Tue Oct 18 05:56:58 2016
main.cvd: version 57, sigs: 4218790, built on Wed Mar 16 23:17:06 2016
Total number of signatures: 4948864

Platform information
--------------------
uname: Linux 4.9.37-fm64 #1 SMP Fri Jul 14 10:59:57 UTC 2017 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
Full OS version: Debian GNU/Linux 8.8 (jessie)
zlib version: 1.2.8 (1.2.8), compile flags: a9
Triple: x86_64-pc-linux-gnu
CPU: corei7, Little-endian
platform id: 0x0a2152520804090201040902

Build information
-----------------
GNU C: 4.9.2 (4.9.2)
GNU C++: 4.9.2 (4.9.2)
CPPFLAGS: -D_FORTIFY_SOURCE=2
CFLAGS: -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security 
-Wall -D_FILE_OFFSET_BITS=64 -fno-strict-aliasing  -D_LARGEFILE_SOURCE 
-D_LARGEFILE64_SOURCE
CXXFLAGS: 
LDFLAGS: -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed
Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' 
'--includedir=/usr/include' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' 
'--libexecdir=/usr/lib/clamav' '--disable-maintainer-mode' 
'--disable-dependency-tracking' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong 
-Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong 
-Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-fPIE 
-pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' 
'--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' 
'--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-gnu-ld' 
'-with-system-llvm=/usr/bin/llvm-config' '--with-llvm-linking=dynamic' 
'--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=x86_64-linux-gnu'
sizeof(void*) = 8
Engine flevel: 82, dconf: 82

--- data dir ---
total 154708
-rw-r--r-- 1 sshd clamav    446464 Jun 23  2016 bytecode.cld
-rw-r--r-- 1 sshd clamav  48823808 Oct 18  2016 daily.cld
-rw-r--r-- 1 sshd clamav 109143933 Apr  8  2016 main.cvd
-rw------- 1 sshd clamav       936 Oct 18  2016 mirrors.dat

-- System Information:
Debian Release: 8.8
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.37-fm64 (SMP w/16 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)

Versions of packages clamav depends on:
ii  clamav-freshclam [clamav-data]  0.99.2+dfsg-0+deb8u2
ii  libc6                           2.19-18+deb8u9
ii  libclamav7                      0.99.2+dfsg-0+deb8u2
ii  libcurl3                        7.38.0-4+deb8u8
ii  libssl1.0.0                     1.0.1t-1+deb8u6
ii  zlib1g                          1:1.2.8.dfsg-2+b1

Versions of packages clamav recommends:
ii  clamav-base  0.99.2+dfsg-0+deb8u2

Versions of packages clamav suggests:
pn  clamav-docs  <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: clamav
Source-Version: 0.99.2+dfsg-0+deb8u3

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated clamav 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Jan 2018 01:29:24 +0100
Source: clamav
Binary: clamav-base clamav-docs clamav-dbg clamav libclamav-dev libclamav7 
clamav-daemon clamdscan clamav-testfiles clamav-freshclam clamav-milter
Architecture: source all
Version: 0.99.2+dfsg-0+deb8u3
Distribution: jessie
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Description:
 clamav     - anti-virus utility for Unix - command-line interface
 clamav-base - anti-virus utility for Unix - base package
 clamav-daemon - anti-virus utility for Unix - scanner daemon
 clamav-dbg - debug symbols for ClamAV
 clamav-docs - anti-virus utility for Unix - documentation
 clamav-freshclam - anti-virus utility for Unix - virus database update utility
 clamav-milter - anti-virus utility for Unix - sendmail integration
 clamav-testfiles - anti-virus utility for Unix - test files
 clamdscan  - anti-virus utility for Unix - scanner client
 libclamav-dev - anti-virus utility for Unix - development files
 libclamav7 - anti-virus utility for Unix - library
Closes: 824196 888484
Changes:
 clamav (0.99.2+dfsg-0+deb8u3) jessie; urgency=medium
 .
   * Apply security patches from 0.99.3 (Closes: #888484):
     - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
       CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
       CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
   * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
   * Cherry-pick patch from bb11549 to fix a temp file cleanup issue
     (Closes: #824196).
Checksums-Sha1:
 306b5b194320cbf1c84bd282b2806e1b48bd4791 3171 clamav_0.99.2+dfsg-0+deb8u3.dsc
 d895d2fc72d0901604e020599d26b7828878e03f 253312 
clamav_0.99.2+dfsg-0+deb8u3.debian.tar.xz
 25f01c884d64a9bf4e6b812aa9427835d1aa78a0 294012 
clamav-base_0.99.2+dfsg-0+deb8u3_all.deb
 b56878f326e64524e2ce813e2d43df0d54759d2c 1233618 
clamav-docs_0.99.2+dfsg-0+deb8u3_all.deb
 d3bbd38e4106fb0b61fa54c5f714eb81ccd9958d 3110356 
clamav-testfiles_0.99.2+dfsg-0+deb8u3_all.deb
Checksums-Sha256:
 be7e2dcafac27e7ab96c155e233919049b706020bc4da8dc9c16b8c72468c751 3171 
clamav_0.99.2+dfsg-0+deb8u3.dsc
 ebfe0205e9802d1ba3a4b2e878dd80c77eac553e3bfcbc0934f113fc9c796dee 253312 
clamav_0.99.2+dfsg-0+deb8u3.debian.tar.xz
 476cf149ccda3f3e768f6980a231d540272f37189e97a6f0751e18f7448f890c 294012 
clamav-base_0.99.2+dfsg-0+deb8u3_all.deb
 4fcc5f7feb2b77fb04bfe1a1ae476a8a8b07d79378c0f3ed52a55530b2a38e6d 1233618 
clamav-docs_0.99.2+dfsg-0+deb8u3_all.deb
 a2395d73f05097c772ec5d974eda3e9864913033fb4e2b6ea8c7c97d7297b2cb 3110356 
clamav-testfiles_0.99.2+dfsg-0+deb8u3_all.deb
Files:
 dc4ceee773f0b57043282b1478ff0524 3171 utils optional 
clamav_0.99.2+dfsg-0+deb8u3.dsc
 0e0c3c3b3eafd43bb5bcf0a221cdcd1b 253312 utils optional 
clamav_0.99.2+dfsg-0+deb8u3.debian.tar.xz
 be6b4f6df49db0277d8d0c8ce0b7b085 294012 utils optional 
clamav-base_0.99.2+dfsg-0+deb8u3_all.deb
 88a95966b1fddef9c51cabc24e30ebbd 1233618 doc optional 
clamav-docs_0.99.2+dfsg-0+deb8u3_all.deb
 c30168e3211d0a2bfe177fb8db5642e8 3110356 utils optional 
clamav-testfiles_0.99.2+dfsg-0+deb8u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQJMBAEBCgA2FiEErHvQgQWZUb1RregAT+XjJihy5MwFAlpuMOMYHHNlYmFzdGlh
bkBicmVha3BvaW50LmNjAAoJEE/l4yYocuTMpUsP/3xjJSyyCjetHZ3+Qg2YJ3HA
W8RjM9Q3V+kNCWohCBANIkyeFASmDjiA/V9sKKQsfMpUrZPGYl99VcDTfqEXu7yj
chPYyCCglKCb16p8XEtOcKj66Aod5cqj8KjIN+TDJK7RUPRIw+eMHNqTDPOe+UCN
1YPrB13Y7L3EAi24ongt38r7J0KlV0Cv7N/jMMAIGuesfPU+neyQtF8EVx0zUWPo
lx5a7bmc6wBnfQP+tt4TIvdH8Yy/FCTGEuwH112AOKkVSw0fzPZIt2NLd/+7ySfG
whh3iUSpP4g1qEeWYQcJvYywrAsGc0RPr6aObt8T/zPAbkpFfuVN5YCnd7ufSjBE
1efWW7x0as12S9JN7pCBAB08IyczOmD5gBHtra9fo7xPkFp55oSiMZowO7Wd+D6q
eE9hR9CmDY1Cs8J1YXe56/S9y+l3cbushx5ZNWRPlrlbpXBTTq4JG8/pNmQKrwHD
zJWQ1sY0SodgZlvG34QcVrfV+c3KZ+aic48IwuoR1gzjxLPCnGOAh65vITixmRW6
aNtS2cA4sqBW4FCcOHwui0frRSo197MGqNshtjdYQpOkkk98Y2KyrMSQ/06LBoiG
v/t+JAH73AesUsBEUiUntnfg1BpEvt7DnxbrUNggS8l9DCuQHNuG5YZnfDtbOf3T
VblAqqz8bBwq906xTdZ8
=FgIj
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel