Package: clamav Severity: grave Hi,
As you'll likely know there is https://security-tracker.debian.org/tracker/CVE-2023-20032 and https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html "CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue." Upstream released fixed tarballs for all their supported branches. I've managed to build 0.103.8+dfsg-0+deb10u1~uvt0 for Debian 10/buster from that, it's available from https://non-gnu.uvt.nl/debian/buster/clamav/ (including sources). We are now running this build on the Tilburg University mail infrastructure, it might work for others too. Anybody working on a proper Debian supplied fix: feel free to contact me (via IRC, e.g.) HTH, Bye, Joost -- Joost van Baal-Ilić http://abramowitz.uvt.nl/ Tilburg University mailto:joostvb.uvt.nl The Netherlands
signature.asc
Description: PGP signature