Debian alert DLA-4292-1 (clamav)
| From: | Lucas Kanashiro <kanashiro@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4292-1] clamav security update | |
| Date: | Thu, 04 Sep 2025 09:40:32 -0300 | |
| Message-ID: | <6c58999086a312006015eb057b8e00c1@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4292-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Lucas Kanashiro September 04, 2025 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : clamav Version : 1.0.9+dfsg-1~deb11u1 CVE ID : CVE-2025-20128 CVE-2025-20260 Debian Bug : 1093880 1108046 A couple of vulnerabilities have been fixed in ClamAV, an anti-virus utility for Unix. CVE-2025-20128 The Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. CVE-2025-20260 The PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. For Debian 11 bullseye, these problems have been fixed in version 1.0.9+dfsg-1~deb11u1. We recommend that you upgrade your clamav packages. For the detailed security status of clamav please refer to its security tracker page at: https://security-tracker.debian.org/tracker/clamav Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAmi5h/sACgkQ+COicpiD yXyo6xAAiVTs8S+AMf95qNZiymT7vrCpFQASg/eGn2Lh7/Pfv8q35TR+yRJwz79c QiZ+9/ow2T0W6zca5vbZyReGwLgPTYwQgDq5L8pUmD7pFWf2qx2e8ub4G8KzMldH 0HOPL7n2H25IaS2yjMQoa8y4Vy8t43U6eM43swQt26kuo35ihm9FcGVgoJ2isntK kUwBdwHzzjFXPv/0FCn1LO6SSoJqDOOJkHP36GARDl0hbLI/z9pBaE18c7fmt5KR UfWGpVI3jG5wG685TE/b8smGVgJ2twZ79H3IckkWRyfQilMhnVzdMN2FT3IpjyYv VxLg69/mNTxvQ4wb3pjqGpAsKywGzuxrLt+6jbG2P8LPUyKGSIcqu6/aNcFGdFmR CDPaTc68wnt9aYBaiZoyRCu9ZVd/P+UOqBACWPni+zO9CyF7X7W3Euul5h1q7Mo6 QTjfrpCnTRoyKT+MK/dAeueNrs7RWs5DKvK7M/gl5kW8X2hMRhy9HKpvX+nWHCB7 Ce9R1H8ZmwT8OD9j0fu6o9319fbLJPPPQXxo/tTVFeOXB7szoTjBn+UTTq7JChXK YKB8FN3vF+4iC0ZcblsBg0haN84ibCc4ocuyqZQ2Ggwlr5f+8/XUhHCsck/g0v+N 6UH7BeH9PBgOsOEyYXo1iLy3Q0R+WR1Lk0kjIDjTE2ZoPvBT7ic= =z6U9 -----END PGP SIGNATURE-----