Bug#1031513: marked as done (clamav: new upstream security release, CVE-2023-20032)

Tue, 21 Feb 2023 11:45:26 -0800 

Your message dated Tue, 21 Feb 2023 20:40:48 +0100
with message-id <20230221194048.gc28...@inutil.org>
and subject line Re: [Pkg-clamav-devel] Bug#1031509: ETA on Patch for Buster
has caused the Debian Bug report #1031509,
regarding clamav: new upstream security release, CVE-2023-20032
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1031509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031509
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: clamav
Severity: grave

Hi,

As you'll likely know there is
https://security-tracker.debian.org/tracker/CVE-2023-20032 and
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

"CVE-2023-20032: Fixed a possible remote code execution vulnerability in the
HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and
earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting
this issue."

Upstream released fixed tarballs for all their supported branches.  I've
managed to build 0.103.8+dfsg-0+deb10u1~uvt0 for Debian 10/buster from that,
it's available from https://non-gnu.uvt.nl/debian/buster/clamav/ (including
sources).

We are now running this build on the Tilburg University mail infrastructure,
it might work for others too.

Anybody working on a proper Debian supplied fix: feel free to contact me (via
IRC, e.g.)

HTH, Bye,

Joost

-- 
Joost van Baal-Ilić                       http://abramowitz.uvt.nl/
                                                 Tilburg University
mailto:joostvb.uvt.nl                               The Netherlands

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 0.103.8+dfsg-0+deb10u1

On Tue, Feb 21, 2023 at 08:12:54PM +0100, Sebastian Andrzej Siewior wrote:
> +LTS
> 
> On 2023-02-20 12:22:48 [+0200], Andries Malan wrote:
> > Hi There
> Hi,
> 
> > Would you be so kind as to provide an ETA for the above mentioned bug that
> > was reported.
> > This would be greatly appreciated.
> 
> I Cced the LTS team because Buster is LTS territory.

An update for Buster has already been released yesterday:
https://lists.debian.org/debian-lts-announce/2023/02/msg00022.html

Cheers,
        Moritz

--- End Message ---

Reply via email to