Bug#904199: stretch-pu: package clamav/ 0.100.0+dfsg-0+deb9u2
On 2018-07-29 22:01:20 [+0100], Adam D. Barratt wrote: > > ClamAV is anĀ AntiVirus toolkit for Unix. > > Upstream published version 0.100.1. > > This is a mostly a bug-fix release. The changes are not strictly > required for operation, but users of the previous version in stretch > may not be able to make use of all current virus signatures and might > get warnings. > > Changes since 0.100.0 currently in stretch include fixes for two > security issues. > > CVE-2018-0360 > > ClamAV before 0.100.1 has an HWP integer overflow with a resultant > infinite loop via a crafted Hangul Word Processor file. > > CVE-2018-0361 > > ClamAV before 0.100.1 lacks a PDF object length check, resulting > in an unreasonably long time to parse a relatively small file. > perfect, thank you. > Apologies if the initial section is incorrect, it wasn't entirely clear > to me whether there would be warnings for the bump from 0.100.0 to > 0.100.1. no worries. > Regards, > > Adam Sebastian
Bug#904199: stretch-pu: package clamav/ 0.100.0+dfsg-0+deb9u2
On Sat, 2018-07-28 at 10:48 +0200, Sebastian Andrzej Siewior wrote: > On 2018-07-28 09:24:28 [+0100], Adam D. Barratt wrote: > > Was the intent that the package would be pushed via -updates? > > Yes, please. If you need additinal information I can provide then on > Sunday evening. My weekend's ended up busier than I expected, so unfortunately I didn't get chance to sort this out yet. How does the below sound as a draft for the relevant part of the SUA? (Based on the style of some previous SUAs - and indeed VUAs - for new clamav upstream versions.) ClamAV is anĀ AntiVirus toolkit for Unix. Upstream published version 0.100.1. This is a mostly a bug-fix release. The changes are not strictly required for operation, but users of the previous version in stretch may not be able to make use of all current virus signatures and might get warnings. Changes since 0.100.0 currently in stretch include fixes for two security issues. CVE-2018-0360 ClamAV before 0.100.1 has an HWP integer overflow with a resultant infinite loop via a crafted Hangul Word Processor file. CVE-2018-0361 ClamAV before 0.100.1 lacks a PDF object length check, resulting in an unreasonably long time to parse a relatively small file. Apologies if the initial section is incorrect, it wasn't entirely clear to me whether there would be warnings for the bump from 0.100.0 to 0.100.1. Regards, Adam
Bug#904199: stretch-pu: package clamav/ 0.100.0+dfsg-0+deb9u2
On 2018-07-28 09:24:28 [+0100], Adam D. Barratt wrote: > Was the intent that the package would be pushed via -updates? Yes, please. If you need additinal information I can provide then on Sunday evening. > Regards, > > Adam Sebastian
Bug#904199: stretch-pu: package clamav/ 0.100.0+dfsg-0+deb9u2
On Sat, 2018-07-21 at 15:02 +0200, Sebastian Andrzej Siewior wrote: > clamav upstream published a new version which contains security > relevant bug fixes, two of them have a CVE number assigned: > > CVE-2018-0360 > HWP integer overflow, infinite loop vulnerability. Reported by > Secunia > Research at Flexera. > > CVE-2018-0361 > ClamAV PDF object length check, unreasonably long time to parse > relatively small file. Reported by aCaB. Was the intent that the package would be pushed via -updates? Regards, Adam
