Please unsubscribe me from your mailing list [email protected] On Thu, 3 Oct 2024, 13:10 Debian Bug Tracking System, <[email protected]> wrote:
> Your message dated Thu, 03 Oct 2024 12:05:39 +0000 > with message-id <[email protected]> > and subject line Bug#1080962: fixed in clamav 1.4.1+dfsg-1 > has caused the Debian Bug report #1080962, > regarding clamav: CVE-2024-20505 CVE-2024-20506 > to be marked as done. > > This means that you claim that the problem has been dealt with. > If this is not the case it is now your responsibility to reopen the > Bug report if necessary, and/or fix the problem forthwith. > > (NB: If you are a system administrator and have no idea what this > message is talking about, this may indicate a serious mail system > misconfiguration somewhere. Please contact [email protected] > immediately.) > > > -- > 1080962: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080962 > Debian Bug Tracking System > Contact [email protected] with problems > > > > ---------- Forwarded message ---------- > From: Salvatore Bonaccorso <[email protected]> > To: Debian Bug Tracking System <[email protected]> > Cc: > Bcc: > Date: Fri, 06 Sep 2024 00:05:05 +0200 > Subject: clamav: CVE-2024-20505 CVE-2024-20506 > Source: clamav > Version: 1.3.1+dfsg-5 > Severity: grave > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team < > [email protected]> > Control: found -1 1.0.5+dfsg-1~deb12u1 > Control: found -1 0.103.10+dfsg-0+deb11u1 > > Hi, > > The following vulnerabilities were published for clamav. > > CVE-2024-20505[0]: > | A vulnerability in the PDF parsing module of Clam AntiVirus (ClamAV) > | versions 1.4.0, 1.3.2 and prior versions, all 1.2.x versions, 1.0.6 > | and prior versions, all 0.105.x versions, all 0.104.x versions, and > | 0.103.11 and all prior versions could allow an unauthenticated, > | remote attacker to cause a denial of service (DoS) condition on an > | affected device. The vulnerability is due to an out of bounds > | read. An attacker could exploit this vulnerability by submitting a > | crafted PDF file to be scanned by ClamAV on an affected device. An > | exploit could allow the attacker to terminate the scanning process. > > > CVE-2024-20506[1]: > | A vulnerability in the ClamD service module of Clam AntiVirus > | (ClamAV) versions 1.4.0, 1.3.2 and prior versions, all 1.2.x > | versions, 1.0.6 and prior versions, all 0.105.x versions, all > | 0.104.x versions, and 0.103.11 and all prior versions could allow an > | authenticated, local attacker to corrupt critical system files. > | The vulnerability is due to allowing the ClamD process to write to > | its log file while privileged without checking if the logfile has > | been replaced with a symbolic link. An attacker could exploit this > | vulnerability if they replace the ClamD log file with a symlink to a > | critical system file and then find a way to restart the ClamD > | process. An exploit could allow the attacker to corrupt a critical > | system file by appending ClamD log messages after restart. > > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-20505 > https://www.cve.org/CVERecord?id=CVE-2024-20505 > [1] https://security-tracker.debian.org/tracker/CVE-2024-20506 > https://www.cve.org/CVERecord?id=CVE-2024-20506 > [2] > https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html > > Regards, > Salvatore > > > > ---------- Forwarded message ---------- > From: Debian FTP Masters <[email protected]> > To: [email protected] > Cc: > Bcc: > Date: Thu, 03 Oct 2024 12:05:39 +0000 > Subject: Bug#1080962: fixed in clamav 1.4.1+dfsg-1 > Source: clamav > Source-Version: 1.4.1+dfsg-1 > Done: Sebastian Andrzej Siewior <[email protected]> > > We believe that the bug you reported is fixed in the latest version of > clamav, which is due to be installed in the Debian FTP archive. > > A summary of the changes between this version and the previous one is > attached. > > Thank you for reporting the bug, which will now be closed. If you > have further comments please address them to [email protected], > and the maintainer will reopen the bug report if appropriate. > > Debian distribution maintenance software > pp. > Sebastian Andrzej Siewior <[email protected]> (supplier of updated > clamav package) > > (This message was generated automatically at their request; if you > believe that there is a problem with it please contact the archive > administrators by mailing [email protected]) > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Format: 1.8 > Date: Thu, 03 Oct 2024 10:51:50 +0200 > Source: clamav > Architecture: source > Version: 1.4.1+dfsg-1 > Distribution: unstable > Urgency: medium > Maintainer: ClamAV Team <[email protected]> > Changed-By: Sebastian Andrzej Siewior <[email protected]> > Closes: 1080962 > Changes: > clamav (1.4.1+dfsg-1) unstable; urgency=medium > . > * Import 1.4.1 (Closes: #1080962) > - CVE-2024-20506 (Changed the logging module to disable following > symlinks > on Linux) > - CVE-2024-20505 (Fixed a possible out-of-bounds read bug in the PDF > file > parser). > Checksums-Sha1: > 7917b33188d4e2d7693c4f33a07c2a5660528072 3080 clamav_1.4.1+dfsg-1.dsc > 587f15fe0a3863030a4b698b8a5e0bef7b93d68c 33150848 > clamav_1.4.1+dfsg.orig.tar.xz > c033266e899948ad3f5ff76e0fdbb4245cce79ba 503988 > clamav_1.4.1+dfsg-1.debian.tar.xz > Checksums-Sha256: > 288144b3649f1dc686f0ebb96b60dae69d37445eac77f6303e26a6fb81359ab6 3080 > clamav_1.4.1+dfsg-1.dsc > 9a994a41d0110a874be7183b3410c91f53c0a6c2eb9dc94c47d47ae0d4a62d0f 33150848 > clamav_1.4.1+dfsg.orig.tar.xz > fecf245f7cf6ee469138376a96ae935221624fdc4d347eda0c85806d1ce3e998 503988 > clamav_1.4.1+dfsg-1.debian.tar.xz > Files: > 070b175efeb30509b34678ac00010653 3080 utils optional > clamav_1.4.1+dfsg-1.dsc > 88d72153305c1c8f0dda1d3380e82c94 33150848 utils optional > clamav_1.4.1+dfsg.orig.tar.xz > 0f092e2022314304f9f3c3b419417538 503988 utils optional > clamav_1.4.1+dfsg-1.debian.tar.xz > > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAmb+hhEACgkQe5boFiqM > 9dFpIhAAkbSGkY1fP7+U0RChljv4nNd7OIL2y7cEutkKpTc6z1cQb01aHmVHVsrC > vu1ePM+n3KSy/+5wQ5WRZ1YZpGgiqqWgrXgcFnDl4vgBccqvot6sBaB4HhGFPW8f > 37fRPSrQhhEayos9MSc6R1kGPbbo7Xnv06KJC1IZ4jtkUTsR7OGBdEr5hx/lfYkB > prmmyd02dF4eRODUGD/rfVT6IJRj9RbOqgGZWOBIsPkXS+tTO/1vtTFYlh44BM8B > I7VEN+l4FrbrxahFBVqaEu9qqsWB1MeoOG7nT2DVmIH5fqhiS0MqS1YN+gmEdwYA > 41E40IacZeLct6G0SF0+u/JW9LVNphxga+rBW8fSAQ3z32kOnYipgHgCMMlUUUZK > zfqZyk/+0JCseHA4v7Z5HecSVMMe3fhJWhLQWWh+j0ft6vv0fMFJWcYjNqvN+1SV > UGh1kPdp2l8dr4ezVqht4i1WDNcU0liSK+CHBLJoJuWyI0sSuthDkgfsa5PWdyaq > ZouCwnjEIyT7NMwcFBiaeyJpUmAJDoflyfFqTXBwzcfhFzZ5nC6aGpPERyGKvbxq > WumdcTv+KQsjAa/ujCgA+J1lZHwQv8X1dh/4eyM0G/QJM5ySDuEImYMVjunU1JIN > VJKmcrTQbjQ3AoFy3iJyR1nEZMDgEtMfE3FKgk8aVCJyCaE8S4M= > =6JQk > -----END PGP SIGNATURE----- > >
_______________________________________________ Pkg-clamav-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel
