On 2024-02-09 23:12:18 [+0100], To sub...@bugs.debian.org wrote: > Package: release.debian.org > Control: affects -1 + src:clamav > X-Debbugs-Cc: cla...@packages.debian.org > User: release.debian....@packages.debian.org > Usertags: pu > Tags: bookworm > Severity: normal > > This is an update to the latest clamav release in the 1.0.x series. This > update closes two CVEs: > > - CVE-2024-20290: Fixed a possible heap overflow read bug in the OLE2 file > parser that could cause a denial-of-service (DoS) condition. > > - CVE-2024-20328: Fixed a possible command injection vulnerability in the > "VirusEvent" feature of ClamAV's ClamD service. > > To fix this issue, we disabled the '%f' format string parameter. ClamD > administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` > environment > variable, instead of '%f'. But you should do so only from within an > executable, such as a Python script, and not directly in the clamd.conf > "VirusEvent" command.
A friendly ping. Sebastian