[Pkg-clamav-devel] Bug#888484: clamav: Security release 0.99.3 available
Bernhard Schmidt
berni at debian.org
Fri Jan 26 11:32:38 UTC 2018
Control: tags -1 security
Control: severity -1 grave
On Fri, Jan 26, 2018 at 09:35:25AM +0000, Rob N wrote:
> Package: clamav
> Version: 0.99.2+dfsg-0+deb8u2
> Severity: important
>
> 0.99.3 has been released, see http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html.
>
> This fixed a number of overflow bugs, each of which has assigned CVE numbers
> due to the potential for denial of service.
>
> We've have started seeing unexpected clamd crashes on a high-traffic mail
> system today, though I've been unable to isolate a test case. It's seems like
> too much of a coincidence that these crashes start happening the day after a
> security release was announced. We've implemented mitigations but an updated
> package would be even better.
Indeed. There are tons of reports of ClamAV installations suddently
getting wedged, see
http://lists.clamav.net/pipermail/clamav-users/2018-January/thread.html#5658
. It is a bit unclear whether 0.99.3 does fix this issue (which seems to
be caused by a recent signature update), but other news sites claim that
at least CVE-2017-12376 is getting actively exploited.
Bernhard
More information about the Pkg-clamav-devel
mailing list