[Pkg-clamav-devel] Bug#1080962: UNSUBSCRIBE

Thu Oct 3 14:28:52 BST 2024

Please unsubscribe me from your mailing list
nick.mortel at gmail.com

On Thu, 3 Oct 2024, 13:10 Debian Bug Tracking System, <owner at bugs.debian.org>
wrote:

> Your message dated Thu, 03 Oct 2024 12:05:39 +0000
> with message-id <E1swKaR-00Awch-P5 at fasolo.debian.org>
> and subject line Bug#1080962: fixed in clamav 1.4.1+dfsg-1
> has caused the Debian Bug report #1080962,
> regarding clamav: CVE-2024-20505 CVE-2024-20506
> to be marked as done.
>
> This means that you claim that the problem has been dealt with.
> If this is not the case it is now your responsibility to reopen the
> Bug report if necessary, and/or fix the problem forthwith.
>
> (NB: If you are a system administrator and have no idea what this
> message is talking about, this may indicate a serious mail system
> misconfiguration somewhere. Please contact owner at bugs.debian.org
> immediately.)
>
>
> --
> 1080962: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080962
> Debian Bug Tracking System
> Contact owner at bugs.debian.org with problems
>
>
>
> ---------- Forwarded message ----------
> From: Salvatore Bonaccorso <carnil at debian.org>
> To: Debian Bug Tracking System <submit at bugs.debian.org>
> Cc:
> Bcc:
> Date: Fri, 06 Sep 2024 00:05:05 +0200
> Subject: clamav: CVE-2024-20505 CVE-2024-20506
> Source: clamav
> Version: 1.3.1+dfsg-5
> Severity: grave
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <
> team at security.debian.org>
> Control: found -1 1.0.5+dfsg-1~deb12u1
> Control: found -1 0.103.10+dfsg-0+deb11u1
>
> Hi,
>
> The following vulnerabilities were published for clamav.
>
> CVE-2024-20505[0]:
> | A vulnerability in the PDF parsing module of Clam AntiVirus (ClamAV)
> | versions 1.4.0, 1.3.2 and prior versions, all 1.2.x versions, 1.0.6
> | and prior versions, all 0.105.x versions, all 0.104.x versions, and
> | 0.103.11 and all prior versions could allow an unauthenticated,
> | remote attacker to cause a denial of service (DoS) condition on an
> | affected device.    The vulnerability is due to an out of bounds
> | read. An attacker could exploit this vulnerability by submitting a
> | crafted PDF file to be scanned by ClamAV on an affected device. An
> | exploit could allow the attacker to terminate the scanning process.
>
>
> CVE-2024-20506[1]:
> | A vulnerability in the ClamD service module of Clam AntiVirus
> | (ClamAV) versions 1.4.0, 1.3.2 and prior versions, all 1.2.x
> | versions, 1.0.6 and prior versions, all 0.105.x versions, all
> | 0.104.x versions, and 0.103.11 and all prior versions could allow an
> | authenticated, local attacker to corrupt critical system files.
> | The vulnerability is due to allowing the ClamD process to write to
> | its log file while privileged without checking if the logfile has
> | been replaced with a symbolic link. An attacker could exploit this
> | vulnerability if they replace the ClamD log file with a symlink to a
> | critical system file and then find a way to restart the ClamD
> | process. An exploit could allow the attacker to corrupt a critical
> | system file by appending ClamD log messages after restart.
>
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2024-20505
>     https://www.cve.org/CVERecord?id=CVE-2024-20505
> [1] https://security-tracker.debian.org/tracker/CVE-2024-20506
>     https://www.cve.org/CVERecord?id=CVE-2024-20506
> [2]
> https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html
>
> Regards,
> Salvatore
>
>
>
> ---------- Forwarded message ----------
> From: Debian FTP Masters <ftpmaster at ftp-master.debian.org>
> To: 1080962-close at bugs.debian.org
> Cc:
> Bcc:
> Date: Thu, 03 Oct 2024 12:05:39 +0000
> Subject: Bug#1080962: fixed in clamav 1.4.1+dfsg-1
> Source: clamav
> Source-Version: 1.4.1+dfsg-1
> Done: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
>
> We believe that the bug you reported is fixed in the latest version of
> clamav, which is due to be installed in the Debian FTP archive.
>
> A summary of the changes between this version and the previous one is
> attached.
>
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to 1080962 at bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
>
> Debian distribution maintenance software
> pp.
> Sebastian Andrzej Siewior <sebastian at breakpoint.cc> (supplier of updated
> clamav package)
>
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmaster at ftp-master.debian.org)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Thu, 03 Oct 2024 10:51:50 +0200
> Source: clamav
> Architecture: source
> Version: 1.4.1+dfsg-1
> Distribution: unstable
> Urgency: medium
> Maintainer: ClamAV Team <pkg-clamav-devel at lists.alioth.debian.org>
> Changed-By: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
> Closes: 1080962
> Changes:
>  clamav (1.4.1+dfsg-1) unstable; urgency=medium
>  .
>    * Import 1.4.1 (Closes: #1080962)
>      - CVE-2024-20506 (Changed the logging module to disable following
> symlinks
>        on Linux)
>      - CVE-2024-20505 (Fixed a possible out-of-bounds read bug in the PDF
> file
>        parser).
> Checksums-Sha1:
>  7917b33188d4e2d7693c4f33a07c2a5660528072 3080 clamav_1.4.1+dfsg-1.dsc
>  587f15fe0a3863030a4b698b8a5e0bef7b93d68c 33150848
> clamav_1.4.1+dfsg.orig.tar.xz
>  c033266e899948ad3f5ff76e0fdbb4245cce79ba 503988
> clamav_1.4.1+dfsg-1.debian.tar.xz
> Checksums-Sha256:
>  288144b3649f1dc686f0ebb96b60dae69d37445eac77f6303e26a6fb81359ab6 3080
> clamav_1.4.1+dfsg-1.dsc
>  9a994a41d0110a874be7183b3410c91f53c0a6c2eb9dc94c47d47ae0d4a62d0f 33150848
> clamav_1.4.1+dfsg.orig.tar.xz
>  fecf245f7cf6ee469138376a96ae935221624fdc4d347eda0c85806d1ce3e998 503988
> clamav_1.4.1+dfsg-1.debian.tar.xz
> Files:
>  070b175efeb30509b34678ac00010653 3080 utils optional
> clamav_1.4.1+dfsg-1.dsc
>  88d72153305c1c8f0dda1d3380e82c94 33150848 utils optional
> clamav_1.4.1+dfsg.orig.tar.xz
>  0f092e2022314304f9f3c3b419417538 503988 utils optional
> clamav_1.4.1+dfsg-1.debian.tar.xz
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAmb+hhEACgkQe5boFiqM
> 9dFpIhAAkbSGkY1fP7+U0RChljv4nNd7OIL2y7cEutkKpTc6z1cQb01aHmVHVsrC
> vu1ePM+n3KSy/+5wQ5WRZ1YZpGgiqqWgrXgcFnDl4vgBccqvot6sBaB4HhGFPW8f
> 37fRPSrQhhEayos9MSc6R1kGPbbo7Xnv06KJC1IZ4jtkUTsR7OGBdEr5hx/lfYkB
> prmmyd02dF4eRODUGD/rfVT6IJRj9RbOqgGZWOBIsPkXS+tTO/1vtTFYlh44BM8B
> I7VEN+l4FrbrxahFBVqaEu9qqsWB1MeoOG7nT2DVmIH5fqhiS0MqS1YN+gmEdwYA
> 41E40IacZeLct6G0SF0+u/JW9LVNphxga+rBW8fSAQ3z32kOnYipgHgCMMlUUUZK
> zfqZyk/+0JCseHA4v7Z5HecSVMMe3fhJWhLQWWh+j0ft6vv0fMFJWcYjNqvN+1SV
> UGh1kPdp2l8dr4ezVqht4i1WDNcU0liSK+CHBLJoJuWyI0sSuthDkgfsa5PWdyaq
> ZouCwnjEIyT7NMwcFBiaeyJpUmAJDoflyfFqTXBwzcfhFzZ5nC6aGpPERyGKvbxq
> WumdcTv+KQsjAa/ujCgA+J1lZHwQv8X1dh/4eyM0G/QJM5ySDuEImYMVjunU1JIN
> VJKmcrTQbjQ3AoFy3iJyR1nEZMDgEtMfE3FKgk8aVCJyCaE8S4M=
> =6JQk
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20241003/a08706d6/attachment-0001.htm>