Sicherheit: Denial of Service in clamav

Lesezeichen hinzufügen

-------------------------------------------------------------------------------
-
Fedora Update Notification
FEDORA-2019-1543eae191
2019-12-04 01:14:42.699071
-------------------------------------------------------------------------------
-

Name : clamav
Product : Fedora 31
Version : 0.101.5
Release : 1.fc31
URL : https://www.clamav.net/
Summary : End-user tools for the Clam Antivirus scanner
Description :
Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this
software is the integration with mail servers (attachment scanning). The
package provides a flexible and scalable multi-threaded daemon, a command
line scanner, and a tool for automatic updating via Internet. The programs
are based on a shared library distributed with the Clam AntiVirus package,
which you can use with your own software. The virus database is based on
the virus database from OpenAntiVirus, but contains additional signatures
(including signatures for popular polymorphic viruses, too) and is KEPT UP
TO DATE.

-------------------------------------------------------------------------------
-
Update Information:

- Drop clamd@scan.service file (bz#1725810) ClamAV 0.101.5 is a security patch
release that addresses the following issues. - CVE-2019-15961:
A Denial-of-Service (DoS) vulnerability may occur when scanning a specially
crafted email file as a result of excessively long scan times. The issue is
resolved by implementing several maximums in parsing MIME messages and by
optimizing use of memory allocation. - Added the zip scanning improvements
found in v0.102.0 where it scans files using zip records from a sorted
catalogue
which provides deduplication of file records resulting in faster extraction and
scan time and reducing the likelihood of alerting on non-malicious duplicate
file entries as overlapping files. - Signature load time is significantly
reduced by changing to a more efficient algorithm for loading signature
patterns
and allocating the AC trie. Patch courtesy of Alberto Wu. - Introduced a new
configure option to statically link libjson-c with libclamav. Static linking
with libjson is highly recommended to prevent crashes in applications that use
libclamav alongside another JSON parsing library. - Null-dereference fix in
email parser when using the --gen-json metadata option. ---- Add
TimeoutStartSec=420 to clamd@.service to match upstream
-------------------------------------------------------------------------------
-
ChangeLog:

* Sat Nov 23 2019 Orion Poplawski <orion@nwra.com> - 0.101.5-1
- Update to 0.101.5 (CVE-2019-15961) (bz#1775550)
* Mon Nov 18 2019 Orion Poplawski <orion@nwra.com> - 0.101.4-3
- Drop clamd@scan.service file (bz#1725810)
- Change /var/run to /run
* Mon Nov 18 2019 Orion Poplawski <orion@nwra.com> - 0.101.4-2
- Add TimeoutStartSec=420 to clamd@.service to match upstream (bz#1764835)
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1631525 - clamav: clamscan --gen-json does not output JSON
https://bugzilla.redhat.com/show_bug.cgi?id=1631525
[ 2 ] Bug #1775550 - Request to build clamav 0.101.5 for EPEL 7
https://bugzilla.redhat.com/show_bug.cgi?id=1775550
[ 3 ] Bug #1725810 - /usr/lib/systemd/system/clamd@scan.service:1: .include
directives are deprecated
https://bugzilla.redhat.com/show_bug.cgi?id=1725810
[ 4 ] Bug #1764835 - clamd at 100% CPU and SystemD keeps restarting clamd
https://bugzilla.redhat.com/show_bug.cgi?id=1764835
-------------------------------------------------------------------------------
-

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-1543eae191' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org