Your message dated Mon, 26 Aug 2019 19:17:28 +0000
with message-id <[email protected]>
and subject line Bug#934359: fixed in clamav 0.101.4+dfsg-0+deb9u1
has caused the Debian Bug report #934359,
regarding clamav: ZIP bomb causes extreme CPU spikes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
934359: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: clamav
Version: 0.101.2+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=12356
Hi,
clamav is affected by a DoS vulnerability caused by crafted, extremely
compressed ZIP files.
Even though this issue is marked as fixed in unstable, the current patch is
incomplete (see upstream bug report). Upstream is actively working on a
more advanced patch.
regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 0.101.4+dfsg-0+deb9u1
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated clamav
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 25 Aug 2019 14:08:40 +0200
Source: clamav
Architecture: source
Version: 0.101.4+dfsg-0+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: ClamAV Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 921190 934359
Changes:
clamav (0.101.4+dfsg-0+deb9u1) stretch; urgency=medium
.
* Import 0.101.4 (Closes: 921190)
- CVE-2019-12625 (Add scan time limit to limit the processing zip-bombs)
(Closes:934359)
- CVE-2019-12900 (An out of bounds write was possible within ClamAV's
NSIS bzip)
- update symbols file (bump to 101.4 and drop unused cli_strnstr).
Checksums-Sha1:
69d9c3bb793bb26f9c16b08a15cfc743ebb0372d 2889 clamav_0.101.4+dfsg-0+deb9u1.dsc
ae609c30ebf523a2f5e1b5f3cf25332cbb48686d 4975416
clamav_0.101.4+dfsg.orig.tar.xz
7c614cbca89e6a7a92412e7ec71bdd56143f49d8 218824
clamav_0.101.4+dfsg-0+deb9u1.debian.tar.xz
4fe97c0ba8361fc4d3f1955b2871863d47b06602 6508
clamav_0.101.4+dfsg-0+deb9u1_source.buildinfo
Checksums-Sha256:
e83ab95832a72e2dee0e1e687d2e07cdf34cc84382d50f1501c8d88925e749f2 2889
clamav_0.101.4+dfsg-0+deb9u1.dsc
f97e09180cf15391db8b5c9db18a1409b748a417861a6aa4621db8844dde3c23 4975416
clamav_0.101.4+dfsg.orig.tar.xz
cd31b1fa022a1b6bf3d999451f89b47d5824ff808f5a390b3f7466210074bb0b 218824
clamav_0.101.4+dfsg-0+deb9u1.debian.tar.xz
c6173dce621fe5c932f1241b3910cb75a73a614a86751765d8dd1a8e851a2018 6508
clamav_0.101.4+dfsg-0+deb9u1_source.buildinfo
Files:
ef28c57709b63882766dfcd67f5d5be6 2889 utils optional
clamav_0.101.4+dfsg-0+deb9u1.dsc
915d7b2d6113055a31d8adcca1e0d0dd 4975416 utils optional
clamav_0.101.4+dfsg.orig.tar.xz
efaab28bd668ae55f4875b3dd285184d 218824 utils optional
clamav_0.101.4+dfsg-0+deb9u1.debian.tar.xz
fd5938bf6930ab3d04358730cf18ac57 6508 utils optional
clamav_0.101.4+dfsg-0+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAl1ii0AACgkQBWQfF1cS
+lt4ggv/Rf0Z71NzGiqpHffXYeOhgY0X6WHRSLoxe42rLIMQzHvatyeDCuNH49jh
5Jupm8Bz6XU8pRPaicRFW/yMFTdKNT2ZtcX0TfHfRZuM03qQJqmbyNgPf8MYUruP
OJZMBpAWgFEcUIauEYR2iQ6w8zXGvjlL9Z8l8UAa7A5lKSCdyCo78J3DcUMgMkJh
qJX75s+uSYB4SflN2vLTTs0cT0IyOlo7Cd0cWEpJd5Ag/d7HEvSLVqoNa/7LI6Qj
knWwcl9gbXpC3TLDr9mhq0BIlcjde5jPZD1Fc8rcS3HBKlQgXMX1z/0me/YrFlbx
0huerknt/xBn4Yrif5rG89qVehEsSYPgjukyZRIznuIIHf97cGXVkDZSceNK5nkV
jWybiiliQBKAK32Did8f1kzn0RfdZxwB/TAttWAP1CEbdGlt/NzEWpv2oJJ/AsW1
Q7U7Nd2QcGECSWWq3v6URiMc0Dmkdtp6/iWTboiSBCRfRJejGUUZ94BkdNt+A9IB
HwS1ZAoD
=WqiB
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-clamav-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel
