Your message dated Mon, 26 Aug 2019 19:17:07 +0000
with message-id <[email protected]>
and subject line Bug#934359: fixed in clamav 0.101.4+dfsg-0+deb10u1
has caused the Debian Bug report #934359,
regarding clamav: ZIP bomb causes extreme CPU spikes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
934359: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: clamav
Version: 0.101.2+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=12356
Hi,
clamav is affected by a DoS vulnerability caused by crafted, extremely
compressed ZIP files.
Even though this issue is marked as fixed in unstable, the current patch is
incomplete (see upstream bug report). Upstream is actively working on a
more advanced patch.
regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 0.101.4+dfsg-0+deb10u1
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated clamav
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 25 Aug 2019 12:53:19 +0200
Source: clamav
Architecture: source
Version: 0.101.4+dfsg-0+deb10u1
Distribution: buster
Urgency: medium
Maintainer: ClamAV Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 934359
Changes:
clamav (0.101.4+dfsg-0+deb10u1) buster; urgency=medium
.
* Import 0.101.4
- CVE-2019-12625 (Add scan time limit to limit the processing zip-bombs)
(Closes:934359)
- CVE-2019-12900 (An out of bounds write was possible within ClamAV's
NSIS bzip)
- update symbols file (bump to 101.4 and drop unused cli_strnstr).
Checksums-Sha1:
92f9b2632a46bdf24bdea4920e3e5d4318080665 2818 clamav_0.101.4+dfsg-0+deb10u1.dsc
0825bf99319fdaa93f35a73e79f4f4001449a8f7 217832
clamav_0.101.4+dfsg-0+deb10u1.debian.tar.xz
118d56bd73dc71046af0186c2af596afc3e285ca 6512
clamav_0.101.4+dfsg-0+deb10u1_source.buildinfo
Checksums-Sha256:
0d74fb680a09eca916c7c62c1547b87bf2e66c7845782d9310ec74c0f30333e4 2818
clamav_0.101.4+dfsg-0+deb10u1.dsc
6e4d76ad8edd19d9a3d4706900274add087ec2e05c437c5ed46624c88a37c317 217832
clamav_0.101.4+dfsg-0+deb10u1.debian.tar.xz
c71030b174ff7f87a19fcce88e0ac6f5ffedc3091faaeef3275ef9ba176e40ae 6512
clamav_0.101.4+dfsg-0+deb10u1_source.buildinfo
Files:
27077319bf59f4ad5a81573f33bd88f2 2818 utils optional
clamav_0.101.4+dfsg-0+deb10u1.dsc
f9dd511bfe8b6c4c5fbf2bbafa41f907 217832 utils optional
clamav_0.101.4+dfsg-0+deb10u1.debian.tar.xz
886e4e82b0a2ebff399a42580403c6c5 6512 utils optional
clamav_0.101.4+dfsg-0+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAl1ivW8ACgkQBWQfF1cS
+lsYRgv9E7FVISu3H0e8E2iL40/+HJhgJbyXOm1RjONIk78bzjUWCgU9vxxTW+a5
gTnTf+S+ChWAV+RYuCFkwYFEElfoAkwfLEnu5yZ+JYLhmEeEzwlsNCqCAQdoBrVl
qDwaCu4rbXSPhVXC/v2FgZ75m17PcJ9Utp/OzXLtO/fXjhsuc7CwQthRZQQRMQyl
GsG+34fW5LSMgqx3S5BkuqlbNzTu9WbGEi1/w4ibV/836PLxANLjbPCrFsQOi5Ws
cCavUWpZpx/HlFfm80scTcHPNt+BlMc0RBuuT1n2MVXt+Zp/eXPAz6XTJW1XLAVi
tavbi14a7z4EA5Sc0ATwzAwkbPq2bVJTRMWqVCtasoUIagc7R5wTmMSKOMWD3DEl
AEMVY3t/S8TiUuWsWfG0MznbxEBuLkx/J8rt73dBuEBHZZETqXrKKee9Nv2L87BV
H6xRkOYRmaVfMS2/lkf93udjUtYokuAUxeqk3p2anhEf5zhbUCPfnLYykVCe0PX0
oQtl6uoT
=2OYt
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-clamav-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel
