Debian alert DLA-1953-1 (clamav)
| From: | Hugo Lefeuvre <hle@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 1953-1] clamav security update | |
| Date: | Thu, 10 Oct 2019 12:52:12 +0200 | |
| Message-ID: | <20191010105212.d5fhppjzo7seeqaj@behemoth.owl.eu.com.local> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : clamav Version : 0.101.4+dfsg-0+deb8u1 CVE ID : CVE-2019-12625 CVE-2019-12900 Debian Bug : 34359 It was discovered that clamav, the open source antivirus engine, is affected by the following security vulnerabilities: CVE-2019-12625 Denial of Service (DoS) vulnerability, resulting from excessively long scan times caused by non-recursive zip bombs. Among others, this issue was mitigated by introducing a scan time limit. CVE-2019-12900 Out-of-bounds write in ClamAV's NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library. This update triggers a transition from libclamav7 to libclama9. As a result, several other packages will be recompiled against the fixed package after the release of this update: dansguardian, havp, python-pyclamav, c-icap-modules. For Debian 8 "Jessie", these problems have been fixed in version 0.101.4+dfsg-0+deb8u1. We recommend that you upgrade your clamav packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl2fDS0ACgkQEeMFjl5E GkLxrAwArgwYlqhbWd15AMnGY4xS1cefVV3XYR9kZ2HJbeql+ygS3Twr5gKbzzqQ XM1W/yxJV/3rlbXr8ygOVRQ8uv+X1ib7jlZY/rumnDj4yrGK2I75gLxOgFHaCKzc 9jhVgagtv4Tob2kP6FT6V0sChtqDlcqzKS+UERVWhKR6lznhQYVSmAfL/iDyVO9s o9BgXTYRmk63El33APzdgUiG93iH08A/bvcW0djJ9pniUbZuR6w/BPZHm3sPAfKx L+wi9Cd7iR/7Ts0EeCkneBlfww6L1Yh/TXYOlTFG1ehY8V5kipcFy1knyBSvA+4H OJFSR167Xh6XBAQ1z1KE6fgLc2Mo2fPONQY3CjSfng3rPOAjRLaanzfVAjtI7fty bhGZQZIVSu+bEEhmwQem/W+HMp3E4NeionS65TOf0kksPdIqxK7vWdcVcqMqhyt/ IQol0ByOAmBsdU13HTMjTXt68rnXreNH0NvNpdFxbLdgoHtDeazn0kcHEjr+/npi Wwdiyjw2 =qTUn -----END PGP SIGNATURE-----