Hi, On Mon, Aug 12, 2019 at 08:35:25AM +0200, Sebastian Andrzej Siewior wrote: > control: found -1 0.98.6+dfsg-1 > > On 2019-08-12 08:21:22 [+0200], Hugo Lefeuvre wrote: > > Hi Sebastian, > Hi, > > > I'm sorry if this sounded insistent, it was not intended like that. > > No problem, everything is okay. I was planning to open a similar bug > just to point out that the issue is not completly fixed so the release > team is aware while processing the pu bug. > I just wanted to make clear that we have what upstream has in their > latest release and we don't lack a patch or so and we are waiting for an > update.
There is now CVE-2019-12625 specifically assigned for > The zip bomb vulnerability mitigated in 0.101.3 has been assigned the > CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip- > bomb mitigation was immediately identified. To remediate the zip-bomb > scan time issue, a scan time limit has been introduced in 0.101.4. This > limit now resolves ClamAV's vulnerability to CVE-2019-12625. > > The default scan time limit is 2 minutes (120000 milliseconds). > > To customize the time limit: > - use the clamscan --max-scantime option > - use the clamd MaxScanTime config option > > Libclamav users may customize the time limit using the cl_engine_set_num > function. For example: > > C > cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds) > > Thanks to David Fifield for reviewing the zip-bomb mitigation in > 0.101.3 and reporting the issue. https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html Regards, Salvatore _______________________________________________ Pkg-clamav-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel
