Package: clamav Version: 0.103.7+dfsg-0+deb11u1 Severity: important Dear Maintainer,
ClamAV/Cisco have released a security advisory concerning 2 potential-RCE bugs in ClamAV: https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html According to the the security tracker, all versions currently in Debian are vulnerable: https://security-tracker.debian.org/tracker/CVE-2023-20032 https://security-tracker.debian.org/tracker/CVE-2023-20052 Please consider an update. Currently, ClamAV is not suitable for use in a (quite common) email-scanning setup like with Amavis, but can still be used (with appropriate care) directly. Thus I think Severity: important fits. Kind regards, Robert -- Package-specific info: --- configuration --- # Automatically created by the clamav-freshclam postinst # Comments will get lost when you reconfigure the clamav-freshclam package DatabaseOwner clamav UpdateLogFile /var/log/clamav/freshclam.log LogVerbose false LogSyslog false LogFacility LOG_LOCAL6 LogFileMaxSize 0 LogRotate true LogTime true Foreground false Debug false MaxAttempts 5 DatabaseDirectory /var/lib/clamav DNSDatabaseInfo current.cvd.clamav.net ConnectTimeout 30 ReceiveTimeout 0 TestDatabases yes ScriptedUpdates yes CompressLocalDatabase no Bytecode true NotifyClamd /etc/clamav/clamd.conf # Check for new database 24 times a day Checks 24 DatabaseMirror db.local.clamav.net DatabaseMirror database.clamav.net --- data dir --- total 226104 -rw-r--r-- 1 clamav clamav 293670 Feb 17 14:46 bytecode.cvd -rw-r--r-- 1 clamav clamav 60744631 Feb 17 14:44 daily.cvd -rw-r--r-- 1 clamav clamav 69 Feb 17 14:43 freshclam.dat -rw-r--r-- 1 clamav clamav 170479789 Feb 17 14:46 main.cvd -- System Information: Debian Release: 11.6 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.18.0-0.deb11.4-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages clamav depends on: ii clamav-freshclam [clamav-data] 0.103.7+dfsg-0+deb11u1 ii libc6 2.31-13+deb11u5 ii libclamav9 0.103.7+dfsg-0+deb11u1 ii libcurl4 7.74.0-1.3+deb11u3 ii libjson-c5 0.15-2 ii libssl1.1 1.1.1n-0+deb11u3 ii zlib1g 1:1.2.11.dfsg-2+deb11u2 Versions of packages clamav recommends: ii clamav-base 0.103.7+dfsg-0+deb11u1 Versions of packages clamav suggests: pn clamav-docs <none> pn libclamunrar <none> -- no debconf information
