Your message dated Sat, 18 Feb 2023 19:02:26 +0000 with message-id <e1ptsta-009hnm...@fasolo.debian.org> and subject line Bug#1031509: fixed in clamav 0.103.8+dfsg-0+deb11u1 has caused the Debian Bug report #1031509, regarding clamav: new upstream security release, CVE-2023-20032 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1031509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031509 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: clamav Severity: grave Hi, As you'll likely know there is https://security-tracker.debian.org/tracker/CVE-2023-20032 and https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html "CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue." Upstream released fixed tarballs for all their supported branches. I've managed to build 0.103.8+dfsg-0+deb10u1~uvt0 for Debian 10/buster from that, it's available from https://non-gnu.uvt.nl/debian/buster/clamav/ (including sources). We are now running this build on the Tilburg University mail infrastructure, it might work for others too. Anybody working on a proper Debian supplied fix: feel free to contact me (via IRC, e.g.) HTH, Bye, Joost -- Joost van Baal-Ilić http://abramowitz.uvt.nl/ Tilburg University mailto:joostvb.uvt.nl The Netherlands
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: clamav Source-Version: 0.103.8+dfsg-0+deb11u1 Done: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> We believe that the bug you reported is fixed in the latest version of clamav, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1031...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated clamav package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 17 Feb 2023 21:43:57 +0100 Source: clamav Architecture: source Version: 0.103.8+dfsg-0+deb11u1 Distribution: bullseye Urgency: medium Maintainer: ClamAV Team <pkg-clamav-de...@lists.alioth.debian.org> Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Closes: 1031509 Changes: clamav (0.103.8+dfsg-0+deb11u1) bullseye; urgency=medium . * Import 0.103.8 (Closes: #1031509) - CVE-2023-20032 (Possible RCE in the HFS+ file parser). - CVE-2023-20052 (Possible information leak in the DMG file parser). Checksums-Sha1: 8b99d177c1a511a5683800516448ab8f31b00215 2809 clamav_0.103.8+dfsg-0+deb11u1.dsc 23abb9015972460c9ead147ed691e46e857ca1a3 7130804 clamav_0.103.8+dfsg.orig.tar.xz 6ac65a4ae397f7f82d1b698f3f7cc942a9644338 220388 clamav_0.103.8+dfsg-0+deb11u1.debian.tar.xz Checksums-Sha256: cdc076fa44d055d1795d0e00223a2488ae7bdfa84e66411e693a9b3b45a77b13 2809 clamav_0.103.8+dfsg-0+deb11u1.dsc e218adee2fb7e9eec4dbef04f25554cff65b771ea039f00136b2ed9a5b49fbba 7130804 clamav_0.103.8+dfsg.orig.tar.xz 87c5e9f844a70c79c5192562eacf62cfa6c0ab4850b653519896b5df8d146bf5 220388 clamav_0.103.8+dfsg-0+deb11u1.debian.tar.xz Files: 458a5071d97c7c94f9912a3c84d396c5 2809 utils optional clamav_0.103.8+dfsg-0+deb11u1.dsc b36e464f39364dde17f77220a105c433 7130804 utils optional clamav_0.103.8+dfsg.orig.tar.xz 8f1e64c581db249313ecc56bf1b9558f 220388 utils optional clamav_0.103.8+dfsg-0+deb11u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmPv6wUACgkQBWQfF1cS +lvL2gv/XTVJN8xXqYOTfx802ZXvUBXn87gtCC7FXuT1w30zRp1aN5issYK6JzE3 PdGCF8jqEKR+G06DBI4cScY3AoIJVWODpLO4j12Be3kJlzAH3kKGVkWoyJLTCSWv oBibz2xqWx2HIr6BQjiMs8/8npVhcbt6DS8Y1o8B2n2TBfWDM+nuIPxjD8Zc/5lJ DHHyij5rUv8yu9EHYTrWhCF0p2V46B/7q9p51cqyVZF7bPgMcC+YDZ4SIFHH/srh Q46XtNm/IVWc48McdVA8jSFJxtn6CkPnzbpXmpHTsGEEnBrzlSqqkMbELQgBQwBq RJ6U8iZLjdh++W4AJjhMo2/LoxCsicc7ukvrhn4ROxdnPqXBc3l2xRVikgcEgz7R G0eliaQHf0p+y5H9d+5iuWpgh76UsNYY7uFSrrYMC9qt/38rmxrNUw3g+H8bE9Mg If6ZjPzjdgTuwgg3Xq04Tis/6gB4XYkAOzAgQPy5FqENA7LyPyBPBepcSo5dKNLd L+kLbGnc =Yo8w -----END PGP SIGNATURE-----
--- End Message ---
