Summary: | <app-antivirus/clamav-0.98.7: Multiple vulnerabilities (CVE-2015-{2170,2221,2222,2668}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Frank Krömmelbein <kroemmelbein> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | angie, antivirus, barzog, bug, hanno, hydrapolic, jaco, kevin, mlspamcb, mstockin, net-mail+disabled, sacoetzee |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 460124, 487020, 551426 | ||
Bug Blocks: | 538084 |
Description
Frank Krömmelbein
2015-04-28 21:11:27 UTC
please stabalie the new clamav.. WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.98.5 Recommended version: 0.98.7 DON'T PANIC! Read http://www.clamav.net/support/faq main.cvd version from DNS: 55 Retrieving http://database.clamav.net/main-55.cdiff Trying to download http://database.clamav.net/main-55.cdiff (IP: 145.58.29.83) Downloading main-55.cdiff [100%] no need to wait for systemd, for the ppl not running systemd. http://www.openwall.com/lists/oss-security/2015/05/03/1 http://www.openwall.com/lists/oss-security/2015/05/03/2 http://www.openwall.com/lists/oss-security/2015/05/03/3 http://www.openwall.com/lists/oss-security/2015/05/03/4 http://www.openwall.com/lists/oss-security/2015/05/03/5 Any progress on this? This is a security issue so we really need to get the update out ASAP. Please. As per Nico: no need to wait for systemd, for the ppl not running systemd. The current version has no systemd support that I'm aware of so if that is a concern, just release a -r1 but please get this out the door as soon as possible. Renaming of the Ebuild of the actual version works for me. clamscan --version ClamAV 0.98.7/20474/Sun May 17 09:38:29 2015 *** Bug 549810 has been marked as a duplicate of this bug. *** Progress status? (In reply to Frank Krömmelbein from comment #4) > Renaming of the Ebuild of the actual version works for me. > > clamscan --version > ClamAV 0.98.7/20474/Sun May 17 09:38:29 2015 I can confirm on amd64. what is holding this up? (In reply to Nico Baggus from comment #8) > what is holding this up? The fact I am the only one in the antivirus herd and I was quite busy otherwise and completely missed this. Sorry for that. commited 0.98.7 . Would be great if a few others could test it before we put it up for STABLEREQ (since I am short on time) No probem, i will run amd64 & x86 when available. Tested on ~amd64 and amd64 hardened, seems to work ok. *** Bug 550652 has been marked as a duplicate of this bug. *** It compiles & installs clean. freshclam works and does not complain. AFAICT it functions. on both amd64 and x86. ok thanks for the additional testing. putting in STABLEREQ and CC'ing ARCH teams. Leaving the rest to security team then ;) Arches, please test and mark stable: =app-antivirus/clamav-0.98.7 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" amd64 stable x86 stable CVE-2015-2668 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2668): ClamAV before 0.98.7 allows remote attackers to cause a denial of service (infinite loop) via a crafted xz archive file. CVE-2015-2222 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2222): ClamAV before 0.98.7 allows remote attackers to cause a denial of service (crash) via a crafted petite packed file. CVE-2015-2221 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2221): ClamAV before 0.98.7 allows remote attackers to cause a denial of service (infinite loop) via a crafted y0da cryptor file. CVE-2015-2170 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2170): The upx decoder in ClamAV before 0.98.7 allows remote attackers to cause a denial of service (crash) via a crafted file. ppc stable alpha stable Pending CVE http://seclists.org/oss-sec/2015/q2/346 All others have been entered. sparc stable ia64 stable ppc64 stable I guess there is no point in holding up stabilisation if the blocking bugs don't get fixed. Stable for HPPA. Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s). Ok let's try again. Maintainer(s), please drop the vulnerable version(s). This issue was resolved and addressed in GLSA 201512-08 at https://security.gentoo.org/glsa/201512-08 by GLSA coordinator Yury German (BlueKnight). Re-Opening for cleanup. Maintainers, the GLSA has been released please clean up the Vulnerable versions. done: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=42315a699eed0f82c83ace523c7190a1e7c0e673 Sorry for the delay. |