On Sat, 2023-09-09 at 23:22 +0200, Sebastian Andrzej Siewior wrote:
>
> This is a quick update that I updated to 1.0.3+dfsg-1~deb12u1 as of
> today. The diff mostly a version update. I additionally removed a log
> line from freshclam which logged harmless 304 "not modified"
> requests.
> This line was added in 1.0.0 and people complained, it got in as of
> 1.0.0 and is already removed in 1.1.x and later.
>
> The main reason for 1.0.3 was the unrar update and I updated so
> clamav
> does not complain about the lower version.
>
> It would be nice if this could be made available via d/updates.
How does this sound for an SUA?
===========
Package : clamav
Version : 1.0.3+dfsg-1~deb12u1 [bookworm]
0.103.10+dfsg-0+deb11u1 [bullseye]
Importance : medium
ClamAV is an AntiVirus toolkit for Unix.
Upstream published versions 1.0.3 and 0.103.10.
This is a bug-fix release and an upstream LTS release. The changes are not
currently required for operation, but upstream strongly recommends that users
update.
Changes since 1.0.1 and 0.103.8 currently in bookworm and bullseye include
fixes for a security issue:
CVE-2023-20197: Possible denial of service vulnerability in the HFS+
file parser.
The update for bookworm also includes a fix for a second security issue:
CVE-2023-20212: Possible denial of service vulnerability in the AutoIt
module.
If you use clamav, we recommend that you install this update.
===========
I'm not entirely happy with the CVE section, but not sure how else to
present it, given that both updates fix one issue but aiui the second
only applies to bookworm.
Regards,
Adam
