Your message dated Fri, 06 Mar 2009 21:47:03 +0000
with message-id <e1lfhsl-0007j9...@ries.debian.org>
and subject line Bug#518524: fixed in amavisd-new 1:2.6.2-2
has caused the Debian Bug report #518524,
regarding Fails to detect message with multiple virus payloads as infected
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
518524: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518524
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: amavisd-new
Version: 1:2.6.2-1
Severity: grave
Tags: security
Justification: allows viruses to get through undetected
Verified to be a regression from 2.6.1 to 2.6.2, so it is not in Lenny.
Something is breaking amavisd-new detection of INFECTED messages when the AV
code returns more than one virus match. This happens with clamav, both in
daemon mode and command-line mode. I have not tested with other AV engines,
but the fact that it hits both the command-line mode and the daemon mode
makes it probable that it will also trigger with other AVs.
The bug is triggered only when multiple virus signatures are found (in
different parts, I didn't test more than one per part). This is rare in the
field when only standard clamav signatures are in use, since usually the
detectable payload shows up in the message only once.
HOWEVER, anyone making use of keep_decoded_original_maps and decode_parts to
have the raw message and the decoded message available to the AV engine WILL
hit the bug. And that's a common enough setup to be cause for worry.
I am trying to debug this, but I thought it better to send the bug in as a
warning ASAP.
The simplest test vector I have is to send an email with two copies of the
EICAR signatures attached as text files. The clamav log clearly shows that
both parts were detected as infected, but amavis fails to consider the
message to be INFECTED, and lets it through as CLEAN.
Another easy way to test it (be extremely carefull, this will cause EVERY
infected message to get through undetected) is to change
keep_decoded_original_maps to match "MAIL" so that the raw message is
available, and keep decode_parts enabled. This causes two copies of the
virus to be extracted to the scratch area, and clamav will find and report
both, triggering the bug.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--- End Message ---
--- Begin Message ---
Source: amavisd-new
Source-Version: 1:2.6.2-2
We believe that the bug you reported is fixed in the latest version of
amavisd-new, which is due to be installed in the Debian FTP archive:
amavisd-new-milter_2.6.2-2_amd64.deb
to pool/main/a/amavisd-new/amavisd-new-milter_2.6.2-2_amd64.deb
amavisd-new_2.6.2-2.diff.gz
to pool/main/a/amavisd-new/amavisd-new_2.6.2-2.diff.gz
amavisd-new_2.6.2-2.dsc
to pool/main/a/amavisd-new/amavisd-new_2.6.2-2.dsc
amavisd-new_2.6.2-2_all.deb
to pool/main/a/amavisd-new/amavisd-new_2.6.2-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 518...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Wirt <formo...@debian.org> (supplier of updated amavisd-new package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 06 Mar 2009 22:10:30 +0100
Source: amavisd-new
Binary: amavisd-new amavisd-new-milter
Architecture: source all amd64
Version: 1:2.6.2-2
Distribution: unstable
Urgency: medium
Maintainer: Brian May <b...@snoopy.debian.net>
Changed-By: Alexander Wirt <formo...@debian.org>
Description:
amavisd-new - Interface between MTA and virus scanner/content filters
amavisd-new-milter - Interface between sendmail-milter and amavisd-new
Closes: 518524
Changes:
amavisd-new (1:2.6.2-2) unstable; urgency=medium
.
* Update antivirusscanner definitions. This is security relevant since
some scanners may not work properly anymore without the update.
(Closes: #518524)
Checksums-Sha1:
da50f4ccc7011ec68048612876f287b764e0c3c5 1195 amavisd-new_2.6.2-2.dsc
8e78a54a45276c2203368bdd3f45c1ee74e461dc 70293 amavisd-new_2.6.2-2.diff.gz
803ff6734d9d479ffe153c0684eef688a9145583 869076 amavisd-new_2.6.2-2_all.deb
69c8bb13bb503b91e3388d96d9a501ef98c7bebf 37758
amavisd-new-milter_2.6.2-2_amd64.deb
Checksums-Sha256:
ed149aa582743a6ec882bf924077404f83a761e82c82fb1ae703466482eefc9f 1195
amavisd-new_2.6.2-2.dsc
2d55a8532cb55512e9d360d582077a764c1f9473654b2761e23e9242d5f18031 70293
amavisd-new_2.6.2-2.diff.gz
d066d370983122bc71e60f8412cd8ef192bd10942c99fed221bd003799920614 869076
amavisd-new_2.6.2-2_all.deb
e5e81411a136041523363df643ae70affecee234506ebc8cb238ccaab5fa756d 37758
amavisd-new-milter_2.6.2-2_amd64.deb
Files:
96c397fc01df753142be4e40171f1b02 1195 mail extra amavisd-new_2.6.2-2.dsc
2b8c44e6560101bd3becd1c04cc52fb1 70293 mail extra amavisd-new_2.6.2-2.diff.gz
e89b5ffdf7fb60e6e606ff96bf5c477b 869076 mail extra amavisd-new_2.6.2-2_all.deb
82a2c840df962fec1734fb9b9ce19f64 37758 mail extra
amavisd-new-milter_2.6.2-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmxlvEACgkQ01u8mbx9Agq+EQCgwFxyxKq/UWiKV8a4yC1cdafV
M5gAoNyFYTzYJsctD1fJFCQyaKXRgJoR
=y+Ry
-----END PGP SIGNATURE-----
--- End Message ---
