[VUA 21-1] Updated clamav packages fixes security flaw

Mon, 16 Oct 2006 12:48:59 -0700 

---------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 21-1     http://volatile.debian.net
[EMAIL PROTECTED]                               Stephen Gran
October 16th, 2006
---------------------------------------------------------------------------


Package              : clamav
Version              : 0.88.5-0volatile1
Importance           : high
CVE IDs              : CVE-2006-4182
                       CVE-2006-5295

The following security flaws were found and fixed in clamav:

CVE-2006-4182:

    A heap overflow error in the "rebuildpe.c" script when rebuilding PE files
    has been discovered, which could be exploited by attackers or malware to
    compromise a vulnerable system.


CVE-2006-5295:

    An error in the CHM unpacker (chmunpack.c) when unpacking malformed files
    has been discovered, which could be exploited by attackers to crash an 
    affected application.


For sarge, an updated clamav package is available in sarge/volatile
as version 0.88.5-0volatile1. We recommend that you update your system.

This advisory was sent out without builds for arm, hppa, ia64, m68k, mips,
mipsel and s390 architectures being available. They will be released as soon
as they are available.


Upgrade Instructions
--------------------

You can get the updated packages at

http://volatile.debian.net/debian-volatile/pool/volatile/main/c/clamav/

and install them with dpkg, or add

 deb http://volatile.debian.net/debian-volatile sarge/volatile main
 deb-src http://volatile.debian.net/debian-volatile sarge/volatile main

to your /etc/apt/sources.list. You can also use any of our mirrors.
Please see http://www.debian.org/devel/debian-volatile/volatile-mirrors for
the full list of mirrors.  The archive signing key can be downloaded from
http://volatile.debian.net/ziyi-sarge.asc

For further information about debian-volatile, please refer to
http://volatile.debian.net/ and http://www.debian.org/devel/debian-volatile/.

If there are any issues, please don't hesitate to get in touch with the
volatile team.

-- 
Martin Zobel-Helas                      GPG Key-ID:    0x5d64f870
Debian Developer                        eMail Privat:  [EMAIL PROTECTED]
Debian Stable Release Manager           eMail Debian:  [EMAIL PROTECTED]

Attachment: signature.asc
Description: Digital signature

Reply via email to