*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Marc Deslauriers (mdeslaur):
CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html -- Read this online at https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html ----------------- Today, we are releasing the following critical patch versions for ClamAV: 0.103.8 0.105.2 1.0.1 ClamAV 0.104 has reached end-of-life according to the ClamAV End of Life (EOL) policy and will not be patched. Anyone using ClamAV 0.104 must switch to a supported version. All users should update as soon as possible to patch for two remote code execution vulnerabilities that we recently discovered and patched. The release files are available for download on ClamAV.net, on the Github Release page, and through Docker Hub. 1.0.1 ClamAV 1.0.1 is a critical patch release with the following fixes: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue. CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue. Fix an allmatch detection issue with the preclass bytecode hook. GitHub pull request: https://github.com/Cisco- Talos/clamav/pull/825 Update the vendored libmspack library to version 0.11alpha. GitHub pull request: https://github.com/Cisco- Talos/clamav/pull/828 0.105.2 ClamAV 0.105.2 is a critical patch release with the following fixes: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue. CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue. Fixed an issue loading Yara rules containing regex strings with an escaped forward-slash (\/) followed by a colon (:). GitHub pull request: https://github.com/Cisco- Talos/clamav/pull/695 Moved the ClamAV Docker files for building containers to a new Git repository. The Docker files are now in https://github.com/Cisco- Talos/clamav-docker. This change enables us to fix issues with the images and with the supporting scripts used to publish and update the images without committing changes directly to files in the ClamAV release branches. GitHub pull request: https://github.com/Cisco- Talos/clamav/pull/765 Update the vendored libmspack library to version 0.11alpha. GitHub pull request: https://github.com/Cisco- Talos/clamav/pull/829 0.103.8 ClamAV 0.103.8 is a critical patch release with the following fixes: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue. CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue. Update the vendored libmspack library to version 0.11alpha. GitHub pull request: https://github.com/Cisco- Talos/clamav/pull/830 Micah Snyder ClamAV Development Talos Cisco Systems, Inc. _______________________________________________ clamav-announce mailing list clamav-annou...@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-announce http://www.clamav.net/contact.html#ml ** Affects: clamav (Ubuntu) Importance: Undecided Assignee: David Fernandez Gonzalez (litios) Status: New -- CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. https://bugs.launchpad.net/bugs/2007456 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
