On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote: > How does this sound for an SUA? > > =========== > Package : clamav > Version : 1.0.3+dfsg-1~deb12u1 [bookworm] > 0.103.10+dfsg-0+deb11u1 [bullseye] > Importance : medium > > ClamAV is an AntiVirus toolkit for Unix. > > Upstream published versions 1.0.3 and 0.103.10. > > This is a bug-fix release and an upstream LTS release. The changes are not > currently required for operation, but upstream strongly recommends that users > update. > > Changes since 1.0.1 and 0.103.8 currently in bookworm and bullseye include > fixes for a security issue: > > CVE-2023-20197: Possible denial of service vulnerability in the HFS+ > file parser. > > The update for bookworm also includes a fix for a second security issue: > > CVE-2023-20212: Possible denial of service vulnerability in the AutoIt > module. > > If you use clamav, we recommend that you install this update. > =========== > > I'm not entirely happy with the CVE section, but not sure how else to > present it, given that both updates fix one issue but aiui the second > only applies to bookworm.
This sounds entirely fine to me. I don't think that it is needed to point out that bullseye is not affected by the second issue. There is also this thing regarding libclamunrar and the update to v6.2.10 of the bundled libbrary. I *think* it is related to CVE-2023-40477. Since unrar itself is only in -pu I think it is okay for libclamunar to follow the same fate. > Regards, > > Adam Sebastian
