Dieses Advisory finden Sie auch im DFN-CERT Portal unter: <https://portal.cert.dfn.de/adv/DFN-CERT-2015-0117/> ClamAV Download-Webseite: <http://www.clamav.net/download.html> ClamAV Security Advisory ClamAV-ADV-2015-01-27: <http://lurker.clamav.net/message/20150127.232443.27bcc068.en.html> ClamAV Security Blog ClamAV Release 0.98.6: <http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html> Schwachstelle CVE-2014-9328 (NVD): <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9328>
CVE-2015-1463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1463): ClamAV before 0.98.6 allows remote attackers to cause a denial of service (crash) via a crafted petite packer file, related to an "incorrect compiler optimization." CVE-2015-1462 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1462): ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted upx packer file, related to a "heap out of bounds condition." CVE-2015-1461 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1461): ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted (1) Yoda's crypter or (2) mew packer file, related to a "heap out of bounds condition."
CVE-2014-9328 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9328): ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted upack packer file, related to a "heap out of bounds condition."
@maintainers: Package is already in tree, please call for stabilization when appropriate.
Any blockers here?
sorry for the delay I've been quite busy lately so not too much time on Gentoo (even though I try to keep up on security issues, but I missed this one - and the next one in the dependency bug). Since there's no point in stabilizing this I just add a depend on the 0.98.6 security bug #548066
This issue was resolved and addressed in GLSA 201512-08 at https://security.gentoo.org/glsa/201512-08 by GLSA coordinator Yury German (BlueKnight).