Your message dated Tue, 21 Feb 2023 20:40:48 +0100
with message-id <20230221194048.gc28...@inutil.org>
and subject line Re: [Pkg-clamav-devel] Bug#1031509: ETA on Patch for Buster
has caused the Debian Bug report #1031509,
regarding clamav: 2 RCE bugs in ClamAV 0.103 (+ 1.0.0),
CVE-2023-20032/CVE-2023-20052
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1031509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031509
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: clamav
Version: 0.103.7+dfsg-0+deb11u1
Severity: important
Dear Maintainer,
ClamAV/Cisco have released a security advisory concerning 2 potential-RCE
bugs in ClamAV:
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
According to the the security tracker, all versions currently in Debian
are vulnerable:
https://security-tracker.debian.org/tracker/CVE-2023-20032
https://security-tracker.debian.org/tracker/CVE-2023-20052
Please consider an update. Currently, ClamAV is not suitable for use in a
(quite common) email-scanning setup like with Amavis, but can still be
used (with appropriate care) directly. Thus I think Severity: important fits.
Kind regards,
Robert
-- Package-specific info:
--- configuration ---
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
--- data dir ---
total 226104
-rw-r--r-- 1 clamav clamav 293670 Feb 17 14:46 bytecode.cvd
-rw-r--r-- 1 clamav clamav 60744631 Feb 17 14:44 daily.cvd
-rw-r--r-- 1 clamav clamav 69 Feb 17 14:43 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Feb 17 14:46 main.cvd
-- System Information:
Debian Release: 11.6
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates'), (500,
'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.18.0-0.deb11.4-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages clamav depends on:
ii clamav-freshclam [clamav-data] 0.103.7+dfsg-0+deb11u1
ii libc6 2.31-13+deb11u5
ii libclamav9 0.103.7+dfsg-0+deb11u1
ii libcurl4 7.74.0-1.3+deb11u3
ii libjson-c5 0.15-2
ii libssl1.1 1.1.1n-0+deb11u3
ii zlib1g 1:1.2.11.dfsg-2+deb11u2
Versions of packages clamav recommends:
ii clamav-base 0.103.7+dfsg-0+deb11u1
Versions of packages clamav suggests:
pn clamav-docs <none>
pn libclamunrar <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 0.103.8+dfsg-0+deb10u1
On Tue, Feb 21, 2023 at 08:12:54PM +0100, Sebastian Andrzej Siewior wrote:
> +LTS
>
> On 2023-02-20 12:22:48 [+0200], Andries Malan wrote:
> > Hi There
> Hi,
>
> > Would you be so kind as to provide an ETA for the above mentioned bug that
> > was reported.
> > This would be greatly appreciated.
>
> I Cced the LTS team because Buster is LTS territory.
An update for Buster has already been released yesterday:
https://lists.debian.org/debian-lts-announce/2023/02/msg00022.html
Cheers,
Moritz
--- End Message ---
