Your message dated Sat, 02 Sep 2023 12:17:13 +0000 with message-id <e1qcpyv-00ep7l...@fasolo.debian.org> and subject line Bug#1050057: fixed in clamav 1.0.2+dfsg-1~deb12u1 has caused the Debian Bug report #1050057, regarding clamav: CVE-2023-20197 CVE-2023-20212 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1050057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050057 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: clamav Version: 1.0.1+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 0.103.8+dfsg-0+deb11u1 Hi, The following vulnerabilities were published for clamav. CVE-2023-20197[0]: | A vulnerability in the filesystem image parser for Hierarchical File | System Plus (HFS+) of ClamAV could allow an unauthenticated, remote | attacker to cause a denial of service (DoS) condition on an affected | device. This vulnerability is due to an incorrect check for | completion when a file is decompressed, which may result in a loop | condition that could cause the affected software to stop responding. | An attacker could exploit this vulnerability by submitting a crafted | HFS+ filesystem image to be scanned by ClamAV on an affected device. | A successful exploit could allow the attacker to cause the ClamAV | scanning process to stop responding, resulting in a DoS condition on | the affected software and consuming available system resources. | For a description of this vulnerability, see the ClamAV blog . CVE-2023-20212[1]: | A vulnerability in the AutoIt module of ClamAV could allow an | unauthenticated, remote attacker to cause a denial of service (DoS) | condition on an affected device. This vulnerability is due to a | logic error in the memory management of an affected device. An | attacker could exploit this vulnerability by submitting a crafted | AutoIt file to be scanned by ClamAV on the affected device. A | successful exploit could allow the attacker to cause the ClamAV | scanning process to restart unexpectedly, resulting in a DoS | condition. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-20197 https://www.cve.org/CVERecord?id=CVE-2023-20197 [1] https://security-tracker.debian.org/tracker/CVE-2023-20212 https://www.cve.org/CVERecord?id=CVE-2023-20212 [1] https://blog.clamav.net/2023/07/2023-08-16-releases.html Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: clamav Source-Version: 1.0.2+dfsg-1~deb12u1 Done: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> We believe that the bug you reported is fixed in the latest version of clamav, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1050...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated clamav package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 27 Aug 2023 11:35:11 +0200 Source: clamav Architecture: source Version: 1.0.2+dfsg-1~deb12u1 Distribution: bookworm Urgency: medium Maintainer: ClamAV Team <pkg-clamav-de...@lists.alioth.debian.org> Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Closes: 949100 1030171 1044136 1050057 Changes: clamav (1.0.2+dfsg-1~deb12u1) bookworm; urgency=medium . * Import 1.0.2 (Closes: #1050057) - CVE-2023-20197 (Possible DoS in HFS+ file parser). - CVE-2023-20212 (Possible DoS in AutoIt file parser). * Use cmake for xml2 detection (Closes: #949100). * Replace tomsfastmath with OpenSSL's BN. * Don't enable clamonacc by default (Closes: #1030171). * Let the clamav-daemon.socket depend on the service file again (Closes: #1044136). Checksums-Sha1: 93892d03aa49f727faa6180a10170c58558288e4 2849 clamav_1.0.2+dfsg-1~deb12u1.dsc c845d2c777adda943e7421c601924e1bee1864a8 14134372 clamav_1.0.2+dfsg.orig.tar.xz b674a8c285c4085a1c32f873581972f2a8188058 230360 clamav_1.0.2+dfsg-1~deb12u1.debian.tar.xz Checksums-Sha256: 33f7f159150284286efe95193a64e4fb2c6bcfd8efe138533e909fa4170f761e 2849 clamav_1.0.2+dfsg-1~deb12u1.dsc 5b641fef85e25e0457edbeaa0e45bf94da6f9ad0fb1dfe7166dbd50ce0f34a00 14134372 clamav_1.0.2+dfsg.orig.tar.xz 71afe3b7908d428eb79d0233af4aa40691d43fec68add4a657262cdf1787c3d2 230360 clamav_1.0.2+dfsg-1~deb12u1.debian.tar.xz Files: b7fc78ff33e18bdc7c0136eafacac08c 2849 utils optional clamav_1.0.2+dfsg-1~deb12u1.dsc 73ff8d63727171ca7f586e2460b86caf 14134372 utils optional clamav_1.0.2+dfsg.orig.tar.xz e44d67319c8283ec8be6ec30428e3f00 230360 utils optional clamav_1.0.2+dfsg-1~deb12u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmTrMXwACgkQBWQfF1cS +lsJwQwAi7GGndRf/BILORVIX0WKzoD1DUvjpz3PfjXanfWK78oseDxG0cAyPtzw aeUNpnMlanHRRP9112YaxneKS1PGFkUbkAYYHS6AQyxBQVr4QvR4AIwTH9kD/nii L1kNJao7tV/ZBZH76NDjEpx7B0v55rJclH9hJfUJbP1iRsfLtHr9u678vB/+AwWk xfTeedY4PRd4Nj3jTaiF301TGUr+e/3vDko0VM9k9cNJC5aOWkns8LdWJ2quiAei j9KDTkN3mgdJHBLAPfA71iZhLUidxpA9UGpnpBBDk2Lc7y0fWoY7gy5nyRVtQpNb HplGVKdwjy+6KGTK7ed3SvWKNhQz9p/2tUThfJTcMgtKfP8KsqiQD12zisokGX6l aLhz98co9NHXwBxllDD785ZoHXQxs3kqyjl4wS/l1+9ADv9mzch6tu2CUM7bkN45 1ak5EOv2HkyiIL1oM/9B94RgC+SgeiN/sv1yR7WXlY/Ar9mf5l2aOqnPCOyWBGUt kRT78vAf =NHU0 -----END PGP SIGNATURE-----
--- End Message ---
