Your message dated Thu, 08 Feb 2024 20:48:21 +0000
with message-id <[email protected]>
and subject line Bug#1063479: fixed in clamav 1.0.5+dfsg-1
has caused the Debian Bug report #1063479,
regarding clamav: CVE-2024-20290 CVE-2024-20328
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1063479: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063479
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: clamav
Version: 1.0.4+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.0.3+dfsg-1~deb12u1
Hi,
The following vulnerabilities were published for clamav.
CVE-2024-20290[0]:
| A vulnerability in the OLE2 file format parser of ClamAV could allow
| an unauthenticated, remote attacker to cause a denial of service
| (DoS) condition on an affected device. This vulnerability is due
| to an incorrect check for end-of-string values during scanning,
| which may result in a heap buffer over-read. An attacker could
| exploit this vulnerability by submitting a crafted file containing
| OLE2 content to be scanned by ClamAV on an affected device. A
| successful exploit could allow the attacker to cause the ClamAV
| scanning process to terminate, resulting in a DoS condition on the
| affected software and consuming available system resources. For a
| description of this vulnerability, see the ClamAV blog .
CVE-2024-20328[1]:
| Fixed a possible command injection vulnerability in the "VirusEvent"
| feature of ClamAV's ClamD service.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-20290
https://www.cve.org/CVERecord?id=CVE-2024-20290
[1] https://security-tracker.debian.org/tracker/CVE-2024-20328
https://www.cve.org/CVERecord?id=CVE-2024-20328
[2] https://blog.clamav.net/2023/11/clamav-130-122-105-released.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 1.0.5+dfsg-1
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated clamav
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 08 Feb 2024 21:38:51 +0100
Source: clamav
Architecture: source
Version: 1.0.5+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1063479
Changes:
clamav (1.0.5+dfsg-1) unstable; urgency=medium
.
* Import 1.0.4 (Closes: #1063479).
- Update symbols.
- CVE-2024-20290 (Fixed a possible heap overflow read bug in the OLE2 file
parser that could cause a denial-of-service (DoS) condition.)
- CVE-2024-20328 (Fixed a possible command injection vulnerability in the
"VirusEvent" feature of ClamAV's ClamD service.
Checksums-Sha1:
6a658d199a21e723eacd1a018e0cab78a83da780 2830 clamav_1.0.5+dfsg-1.dsc
f4f5016ce9ff75ad1db40f3475c100dc5fd87243 25821000 clamav_1.0.5+dfsg.orig.tar.xz
abaf76f7eb334ee33c27077e2dcfc61f7728799e 226420
clamav_1.0.5+dfsg-1.debian.tar.xz
Checksums-Sha256:
a9c3354a514f7170b89902b3b2ddbb533c5608ce0cb9ab0cfc1bf9150a1bef34 2830
clamav_1.0.5+dfsg-1.dsc
b9c98462e0747f20178fff61ca4f823d97e4f599b919610ce64f65d1aeb4d807 25821000
clamav_1.0.5+dfsg.orig.tar.xz
1cc5ab6b477bf49143716700ebf0cda381c3c15e5775344a8c1cbf845535693e 226420
clamav_1.0.5+dfsg-1.debian.tar.xz
Files:
57faa8398921f30a720b5cc060ccdd86 2830 utils optional clamav_1.0.5+dfsg-1.dsc
93f486687a7b4031e686b1c33dcfdc9c 25821000 utils optional
clamav_1.0.5+dfsg.orig.tar.xz
c1a9f262eb253239b0ba31ebe9a3757d 226420 utils optional
clamav_1.0.5+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmXFPAMACgkQBWQfF1cS
+lvRmgwAjRZys8WTo011cx+jfah7kKPUjthJJhM9YHrG0Nw+j5Yq2j3kpspLx1oa
T8c2AH0JExwuXQGmcOmu9R4tUl1zvJI21I0nylqq8T+AkNysJHd1iRS88ynY4zcs
BKQARXGpHlWT/P03YiEDTVIBmEaPV602hAQPzNjQJiqOPZkuUrLQiYL+hR0Ktor6
YniGqAOtzKzaViiD7NYrv6BJsiDVkXA27YS7NDvTBtdg1yoOjo5ufXHn4xkYo9SD
yNmBjaZvqbPlj2MKQbx9gNEXb/TI5yYHjnvqAIbd6SpDRIBWUalcxBQmIiylzpOd
uSTXnaJoIiq1xQopjgmNJD7jFXzNWFHgWoCjBSbrH+CoMKUzuFrbca9Y5PYbH4OT
+h3lDqri9ReUN/ELsYT77h7YEH+gkGQ5XCAAGWW2pUESEQ0k44GJR1bo6dT0/ZPm
MV0JdcXTqBhIAOAkly0CfSdiYzOlbFbxkFp/KQ53NHYP0j4LLkCjtuJcEZPjPn7b
DJAT+fcW
=N/7L
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-clamav-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel
