Bug#888484: [Pkg-clamav-devel] Bug#888484: Processed (with 1 error): Re: Bug#888484: clamav: Security release 0.99.3 available
On 27 January 2018 15:30:45 CET, Salvatore Bonaccorsowrote: >So "the remaining CVEs were not address yet" part. > I was referring to the Stretch release. The fd bug is fixed but not the CVEs. In the meantime I opened pu bugs for stable and oldstable. Sebastian
Bug#888484: [Pkg-clamav-devel] Processed (with 1 error): Re: Bug#888484: clamav: Security release 0.99.3 available
Scott, Thank you. On Sat, Jan 27, 2018 at 03:12:31PM +, Scott Kitterman wrote: > > > On January 27, 2018 2:30:45 PM UTC, Salvatore Bonaccorso> wrote: > >Hi Scott, > > > >On Sat, Jan 27, 2018 at 02:05:59PM +, Scott Kitterman wrote: > >> fixed 888484 0.99.3~beta2+dfsg-1 > >> > >> Everyone: > >> > >> Please leave the status of this bug to the package maintainers. > >> We've checked and all the security issues in the new 0.99.3 release > >> were previously addressed in the beta that's in testing/unstable. > >> > >> If you think this is incorrect, provide specific information about > >> why (i.e. point to the code). Don't change the status of the bug. > >> You aren't helping. > > > >This though was not clear at all from > >https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#29 where the > >bug was marked fixed in 0.99.3~beta2+dfsg-1, were Sebastian did wrote: > > > >> I *think* the crashes you obsereved might be due to FD desc issue. > >This > >> was fixed in Stretch by chance but not in Jessie. However the > >remaining > >> CVEs were not addressed yet and I'm looking into it… > >> > >> [0] > >http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html > > > >So "the remaining CVEs were not address yet" part. > > > >I take your last email as confirmation that they indeed *are* fixed in > >0.99.3~beta2+dfsg-1 and have updated the security-tracker information > >as such. > > Thanks. This is a bit of a confusing mess (thanks upstream). My > understanding is that the remaining ones are ones that are addressed > in the beta in unstable/testing, but not the new release. If I find > out different, I'll be sure to update the tracker. Btw, I did expand the tracker CVE entries now with the respective upstream bugs (they are now open) and the respective commits. And it looks indeed that all of those are present in the "Import clamav_0.99.3~beta2+dfsg.orig.tar.xz" of Sebastian Andrzej Siewior, in the packaging repo done back in december 2017. Thanks for your work! Salvatore
Bug#888484: [Pkg-clamav-devel] Processed (with 1 error): Re: Bug#888484: clamav: Security release 0.99.3 available
On January 27, 2018 2:30:45 PM UTC, Salvatore Bonaccorsowrote: >Hi Scott, > >On Sat, Jan 27, 2018 at 02:05:59PM +, Scott Kitterman wrote: >> fixed 888484 0.99.3~beta2+dfsg-1 >> >> Everyone: >> >> Please leave the status of this bug to the package maintainers. >> We've checked and all the security issues in the new 0.99.3 release >> were previously addressed in the beta that's in testing/unstable. >> >> If you think this is incorrect, provide specific information about >> why (i.e. point to the code). Don't change the status of the bug. >> You aren't helping. > >This though was not clear at all from >https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#29 where the >bug was marked fixed in 0.99.3~beta2+dfsg-1, were Sebastian did wrote: > >> I *think* the crashes you obsereved might be due to FD desc issue. >This >> was fixed in Stretch by chance but not in Jessie. However the >remaining >> CVEs were not addressed yet and I'm looking into it… >> >> [0] >http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html > >So "the remaining CVEs were not address yet" part. > >I take your last email as confirmation that they indeed *are* fixed in >0.99.3~beta2+dfsg-1 and have updated the security-tracker information >as such. Thanks. This is a bit of a confusing mess (thanks upstream). My understanding is that the remaining ones are ones that are addressed in the beta in unstable/testing, but not the new release. If I find out different, I'll be sure to update the tracker. Scott K
Bug#888484: [Pkg-clamav-devel] Processed (with 1 error): Re: Bug#888484: clamav: Security release 0.99.3 available
Hi Scott, On Sat, Jan 27, 2018 at 02:05:59PM +, Scott Kitterman wrote: > fixed 888484 0.99.3~beta2+dfsg-1 > > Everyone: > > Please leave the status of this bug to the package maintainers. > We've checked and all the security issues in the new 0.99.3 release > were previously addressed in the beta that's in testing/unstable. > > If you think this is incorrect, provide specific information about > why (i.e. point to the code). Don't change the status of the bug. > You aren't helping. This though was not clear at all from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#29 where the bug was marked fixed in 0.99.3~beta2+dfsg-1, were Sebastian did wrote: > I *think* the crashes you obsereved might be due to FD desc issue. This > was fixed in Stretch by chance but not in Jessie. However the remaining > CVEs were not addressed yet and I'm looking into it… > > [0] > http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html So "the remaining CVEs were not address yet" part. I take your last email as confirmation that they indeed *are* fixed in 0.99.3~beta2+dfsg-1 and have updated the security-tracker information as such. Regards, Salvatore
Bug#888484: [Pkg-clamav-devel] Processed (with 1 error): Re: Bug#888484: clamav: Security release 0.99.3 available
fixed 888484 0.99.3~beta2+dfsg-1 Everyone: Please leave the status of this bug to the package maintainers. We've checked and all the security issues in the new 0.99.3 release were previously addressed in the beta that's in testing/unstable. If you think this is incorrect, provide specific information about why (i.e. point to the code). Don't change the status of the bug. You aren't helping. Scott K On January 27, 2018 10:19:15 AM UTC, Salvatore Bonaccorsowrote: >notfixed 888484 0.99.3~beta2+dfsg-1 >thanks > >Assuming the following was the intention: > >On Sat, Jan 27, 2018 at 02:12:08AM +, Debian Bug Tracking System >wrote: >> Processing control commands: >> >> > unfixed 888484 0.99.3~beta2+dfsg-1 >> Unknown command or malformed arguments to command. > >___ >Pkg-clamav-devel mailing list >pkg-clamav-de...@lists.alioth.debian.org >http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel
Bug#888484: clamav: Security release 0.99.3 available
Control: unfixed 888484 0.99.3~beta2+dfsg-1 Control: fixed 888511 0.99.3~beta2+dfsg-1 Hi >> >> We've have started seeing unexpected clamd crashes on a high-traffic mail >> system today, though I've been unable to isolate a test case. It's seems like >> too much of a coincidence that these crashes start happening the day after a >> security release was announced. We've implemented mitigations but an updated >> package would be even better. > > I *think* the crashes you obsereved might be due to FD desc issue. This > was fixed in Stretch by chance but not in Jessie. However the remaining > CVEs were not addressed yet and I'm looking into it… > > [0] > http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html Indeed. There is a separate Bug#888511 for that, I have migrated the fixed Version above to avoid confusion. Are you sure about the Stretch thing? Stretch contains 0.99.2 which should be affected by this bug. But I’m not 100% sure, as all my high traffic mail gateways are still running Jessie. According to reports 0.99.3~beta2 was indeed not affected by the signature bug, so Buster/Sid where fine. What makes things even more confusing is that 0.99.3 does not contain this fix, because 0.99.3 is 0.99.2+security fixes, while 0.99.3~beta was a development tree that is now called 0.100 :-( http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html Upstream announcement suggests you cannot do a clean switch from 0.99.3~beta to 0.99.3 As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, you will need to completely uninstall it and do a fresh install with the production version of 0.99.3 as there are significant code differences Bernhard
Bug#888484: clamav: Security release 0.99.3 available
On Sat, Jan 27, 2018, at 11:08 AM, Sebastian Andrzej Siewior wrote: > I **think** the crashes you obsereved might be due to FD desc > issue. This> was fixed in Stretch by chance but not in Jessie. However the > remaining> CVEs were not addressed yet and I'm looking into it… Yes, I found this too after reviewing discussion on clamav-users. I've been running the latest daily.cvd on a test server this morning without issue, which is a good enough solution for me at the moment. I will of course be watching for updated packages, but it's definitiely no long urgent. Thanks you all for the pointers; I appreciate the assist :) Rob N.
Bug#888484: clamav: Security release 0.99.3 available
control: fixed -1 0.99.3~beta2+dfsg-1 On 2018-01-26 09:35:25 [+], Rob N wrote: > Package: clamav > Version: 0.99.2+dfsg-0+deb8u2 > Severity: important > > 0.99.3 has been released, see > http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html. > > This fixed a number of overflow bugs, each of which has assigned CVE numbers > due to the potential for denial of service. > > We've have started seeing unexpected clamd crashes on a high-traffic mail > system today, though I've been unable to isolate a test case. It's seems like > too much of a coincidence that these crashes start happening the day after a > security release was announced. We've implemented mitigations but an updated > package would be even better. I *think* the crashes you obsereved might be due to FD desc issue. This was fixed in Stretch by chance but not in Jessie. However the remaining CVEs were not addressed yet and I'm looking into it… [0] http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html > Cheers! > Rob N. Sebastian
Bug#888484: clamav: Security release 0.99.3 available
Control: tags -1 security Control: severity -1 grave On Fri, Jan 26, 2018 at 09:35:25AM +, Rob N wrote: > Package: clamav > Version: 0.99.2+dfsg-0+deb8u2 > Severity: important > > 0.99.3 has been released, see > http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html. > > This fixed a number of overflow bugs, each of which has assigned CVE numbers > due to the potential for denial of service. > > We've have started seeing unexpected clamd crashes on a high-traffic mail > system today, though I've been unable to isolate a test case. It's seems like > too much of a coincidence that these crashes start happening the day after a > security release was announced. We've implemented mitigations but an updated > package would be even better. Indeed. There are tons of reports of ClamAV installations suddently getting wedged, see http://lists.clamav.net/pipermail/clamav-users/2018-January/thread.html#5658 . It is a bit unclear whether 0.99.3 does fix this issue (which seems to be caused by a recent signature update), but other news sites claim that at least CVE-2017-12376 is getting actively exploited. Bernhard
Bug#888484: clamav: Security release 0.99.3 available
Package: clamav Version: 0.99.2+dfsg-0+deb8u2 Severity: important 0.99.3 has been released, see http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html. This fixed a number of overflow bugs, each of which has assigned CVE numbers due to the potential for denial of service. We've have started seeing unexpected clamd crashes on a high-traffic mail system today, though I've been unable to isolate a test case. It's seems like too much of a coincidence that these crashes start happening the day after a security release was announced. We've implemented mitigations but an updated package would be even better. Cheers! Rob N. -- Package-specific info: --- configuration --- Checking configuration files in /etc/clamav Config file: clamd.conf --- LogFile = "/var/log/clamav/clamav.log" StatsHostID = "auto" StatsEnabled disabled StatsPEDisabled = "yes" StatsTimeout = "10" LogFileUnlock disabled LogFileMaxSize = "4294967295" LogTime = "yes" LogClean disabled LogSyslog disabled LogFacility = "LOG_LOCAL6" LogVerbose disabled LogRotate = "yes" ExtendedDetectionInfo = "yes" PidFile disabled TemporaryDirectory disabled DatabaseDirectory = "/var/lib/clamav" OfficialDatabaseOnly disabled LocalSocket = "/var/run/clamav/clamd.ctl" LocalSocketGroup = "clamav" LocalSocketMode = "666" FixStaleSocket = "yes" TCPSocket disabled TCPAddr disabled MaxConnectionQueueLength = "15" StreamMaxLength = "26214400" StreamMinPort = "1024" StreamMaxPort = "2048" MaxThreads = "12" ReadTimeout = "180" CommandReadTimeout = "5" SendBufTimeout = "200" MaxQueue = "100" IdleTimeout = "30" ExcludePath disabled MaxDirectoryRecursion = "15" FollowDirectorySymlinks disabled FollowFileSymlinks disabled CrossFilesystems = "yes" SelfCheck = "3600" DisableCache disabled VirusEvent disabled ExitOnOOM disabled AllowAllMatchScan = "yes" Foreground disabled Debug disabled LeaveTemporaryFiles disabled User = "clamav" AllowSupplementaryGroups disabled Bytecode = "yes" BytecodeSecurity = "TrustSigned" BytecodeTimeout = "6" BytecodeUnsigned disabled BytecodeMode = "Auto" DetectPUA disabled ExcludePUA disabled IncludePUA disabled AlgorithmicDetection = "yes" ScanPE = "yes" ScanELF = "yes" DetectBrokenExecutables disabled ScanMail = "yes" ScanPartialMessages disabled PhishingSignatures = "yes" PhishingScanURLs = "yes" PhishingAlwaysBlockCloak disabled PhishingAlwaysBlockSSLMismatch disabled PartitionIntersection disabled HeuristicScanPrecedence disabled StructuredDataDetection disabled StructuredMinCreditCardCount = "3" StructuredMinSSNCount = "3" StructuredSSNFormatNormal = "yes" StructuredSSNFormatStripped disabled ScanHTML = "yes" ScanOLE2 = "yes" OLE2BlockMacros disabled ScanPDF = "yes" ScanSWF = "yes" ScanXMLDOCS = "yes" ScanHWP3 = "yes" ScanArchive = "yes" ArchiveBlockEncrypted disabled ForceToDisk disabled MaxScanSize = "104857600" MaxFileSize = "26214400" MaxRecursion = "16" MaxFiles = "1" MaxEmbeddedPE = "10485760" MaxHTMLNormalize = "10485760" MaxHTMLNoTags = "2097152" MaxScriptNormalize = "5242880" MaxZipTypeRcg = "1048576" MaxPartitions = "50" MaxIconsPE = "100" MaxRecHWP3 = "16" PCREMatchLimit = "1" PCRERecMatchLimit = "5000" PCREMaxFileSize = "26214400" ScanOnAccess disabled OnAccessMountPath disabled OnAccessIncludePath disabled OnAccessExcludePath disabled OnAccessExcludeUID disabled OnAccessMaxFileSize = "5242880" OnAccessDisableDDD disabled OnAccessPrevention disabled OnAccessExtraScanning disabled DevACOnly disabled DevACDepth disabled DevPerformance disabled DevLiblog disabled DisableCertCheck disabled Config file: freshclam.conf --- StatsHostID disabled StatsEnabled disabled StatsTimeout disabled LogFileMaxSize = "4294967295" LogTime = "yes" LogSyslog disabled LogFacility = "LOG_LOCAL6" LogVerbose disabled LogRotate = "yes" PidFile disabled DatabaseDirectory = "/var/lib/clamav" Foreground disabled Debug disabled AllowSupplementaryGroups disabled UpdateLogFile = "/var/log/clamav/freshclam.log" DatabaseOwner = "clamav" Checks = "24" DNSDatabaseInfo = "current.cvd.clamav.net" DatabaseMirror = "db.local.clamav.net", "database.clamav.net" PrivateMirror disabled MaxAttempts = "5" ScriptedUpdates = "yes" TestDatabases = "yes" CompressLocalDatabase disabled ExtraDatabase disabled DatabaseCustomURL disabled HTTPProxyServer disabled HTTPProxyPort disabled HTTPProxyUsername disabled HTTPProxyPassword disabled HTTPUserAgent disabled NotifyClamd = "/etc/clamav/clamd.conf" OnUpdateExecute disabled OnErrorExecute disabled OnOutdatedExecute disabled LocalIPAddress disabled ConnectTimeout = "30" ReceiveTimeout = "30" SubmitDetectionStats disabled DetectionStatsCountry disabled DetectionStatsHostID disabled SafeBrowsing disabled Bytecode = "yes" clamav-milter.conf not found Software settings - Version: 0.99.2 Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 LIBXML2 PCRE ICONV JSON RAR JIT Database information Database