Your message dated Sat, 19 Aug 2023 18:58:39 +0000 with message-id <e1qxr9j-0003wm...@fasolo.debian.org> and subject line Bug#1050057: fixed in clamav 1.0.2+dfsg-1 has caused the Debian Bug report #1050057, regarding clamav: CVE-2023-20197 CVE-2023-20212 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1050057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050057 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: clamav Version: 1.0.1+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 0.103.8+dfsg-0+deb11u1 Hi, The following vulnerabilities were published for clamav. CVE-2023-20197[0]: | A vulnerability in the filesystem image parser for Hierarchical File | System Plus (HFS+) of ClamAV could allow an unauthenticated, remote | attacker to cause a denial of service (DoS) condition on an affected | device. This vulnerability is due to an incorrect check for | completion when a file is decompressed, which may result in a loop | condition that could cause the affected software to stop responding. | An attacker could exploit this vulnerability by submitting a crafted | HFS+ filesystem image to be scanned by ClamAV on an affected device. | A successful exploit could allow the attacker to cause the ClamAV | scanning process to stop responding, resulting in a DoS condition on | the affected software and consuming available system resources. | For a description of this vulnerability, see the ClamAV blog . CVE-2023-20212[1]: | A vulnerability in the AutoIt module of ClamAV could allow an | unauthenticated, remote attacker to cause a denial of service (DoS) | condition on an affected device. This vulnerability is due to a | logic error in the memory management of an affected device. An | attacker could exploit this vulnerability by submitting a crafted | AutoIt file to be scanned by ClamAV on the affected device. A | successful exploit could allow the attacker to cause the ClamAV | scanning process to restart unexpectedly, resulting in a DoS | condition. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-20197 https://www.cve.org/CVERecord?id=CVE-2023-20197 [1] https://security-tracker.debian.org/tracker/CVE-2023-20212 https://www.cve.org/CVERecord?id=CVE-2023-20212 [1] https://blog.clamav.net/2023/07/2023-08-16-releases.html Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: clamav Source-Version: 1.0.2+dfsg-1 Done: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> We believe that the bug you reported is fixed in the latest version of clamav, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1050...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated clamav package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 19 Aug 2023 19:07:32 +0200 Source: clamav Architecture: source Version: 1.0.2+dfsg-1 Distribution: unstable Urgency: medium Maintainer: ClamAV Team <pkg-clamav-de...@lists.alioth.debian.org> Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Closes: 949100 1030171 1044136 1050057 Changes: clamav (1.0.2+dfsg-1) unstable; urgency=medium . * Import 1.0.2 (Closes: #1050057) - CVE-2023-20197 (Possible DoS in HFS+ file parser). - CVE-2023-20212 (Possible DoS in AutoIt file parser). * Use cmake for xml2 detection (Closes: #949100). * Replace tomsfastmath with OpenSSL's BN. * Don't enable clamonacc by default (Closes: #1030171). * Let the clamav-daemon.socket depend on the service file again (Closes: #1044136). Checksums-Sha1: 5e541601881d32c9c13913642b3a0d859e5eafd1 2817 clamav_1.0.2+dfsg-1.dsc c845d2c777adda943e7421c601924e1bee1864a8 14134372 clamav_1.0.2+dfsg.orig.tar.xz 035375a7d331d1f495660a66b13231c0073fcf2d 230348 clamav_1.0.2+dfsg-1.debian.tar.xz Checksums-Sha256: dd85b3d5a1215df84cfff2bb086ead0fa1ff9dfdb1025e9908264b97e4362a34 2817 clamav_1.0.2+dfsg-1.dsc 5b641fef85e25e0457edbeaa0e45bf94da6f9ad0fb1dfe7166dbd50ce0f34a00 14134372 clamav_1.0.2+dfsg.orig.tar.xz 55a97ecb2aa4255847e300da90bbf4093cadf2244f328e6297cc8b7ea6679bdc 230348 clamav_1.0.2+dfsg-1.debian.tar.xz Files: e0a77dee4cb185153a3b9ff2ab691522 2817 utils optional clamav_1.0.2+dfsg-1.dsc 73ff8d63727171ca7f586e2460b86caf 14134372 utils optional clamav_1.0.2+dfsg.orig.tar.xz e7ae924260306d03ff08f5c95aa0ffec 230348 utils optional clamav_1.0.2+dfsg-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmTg/x4ACgkQBWQfF1cS +lt9Dwv/RIahUcqWdqvPHE54LQFJIGllcdMpQTXF/ltGpfmvE0amm8D8imgUVBx2 dHQ4vktDr6eIHfg9ZKg+vxKQtqkcuw5vdfmg67/1FLW1oYcKr+itl+7REPy8EoYF k1jExXlOBTer84hyJ127pju+G54y7aroDwAc3trkEMC6xj1+TdjI00HZFqLzRFci GldbLfTFSyYS2yY7loGO14aaj36cM6IGIFtFdAeAyYPN4YSfB9+Oyay3DaruU9CZ WlOoiPGhow+aw8fM7121hhp9Fk4SdYByqw33uZrbQigGI+a1ffQHjaCD2sVJLFGO aFjCJBS082OvIqBdqDBU6j/eZHLcYVv3Wx4dud5fIydCYR2KqIBsba/46XFstGiD Bt1sbTRxy225TX/T8ohm+IkW12oDOm8S2M1WBWITj4JWBpiF23HfFUPwgbqeSAts 3ETgmugAswkJwSD6FWUc/h5cosIf9AMCmqk0QhitlnIoDnV62w7ld4praAjdN6zd RGBcboPJ =1UY3 -----END PGP SIGNATURE-----
--- End Message ---
