-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kolab Security Issue 16 20070724
================================

Package:              Kolab Server, ClamAV
Vulnerability:        denial of service
Kolab Specific:       no
Dependent Packages:   none


Summary
~~~~~~~

CVE-2007-3725

    Metaeye Security Group discovered that ClamAV crashes due to processing of
    standard filters in RAR VM, while processing a corrupted RAR file.

    Kolab servers use the clamd daemon for filtering. While Kolab Server 2.0
    passes following mails without being scanned by ClamAV, Kolab Server 2.1
    falls back to using the command line clamscan utility which significantly
    increases processing overhead.


Affected Versions
~~~~~~~~~~~~~~~~~

This affects versions of ClamAV up to version 0.90.3.
Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected.
Kolab Server 2.2-beta1 is affected.


Fix
~~~

Upgrade to ClamAV 0.91.1.

The ClamAV source RPM is available from the Kolab download mirrors as:
security-updates/20070724/clamav-0.91.1-20070718_kolab.src.rpm

A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux Sarge) is available:
security-updates/20070724/clamav-0.91.1-20070718_kolab.ix86-debian3.1-kolab.rpm

All other server versions: Please build from the src.rpm.


The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20070724/clamav-0.91.1-20070718_kolab.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20070724/clamav-0.91.1-20070718_kolab.ix86-debian3.1-kolab.rpm .

MD5 sums:
4ed62987a0871b0d6ab7520e85fc3a25  clamav-0.91.1-20070718_kolab.src.rpm
aebbcde54deb366b0f7966f4c947b1de  clamav-0.91.1-20070718_kolab.ix86-debian3.1-kolab.rpm


The package can be installed on your Kolab Server with

# /kolab/bin/openpkg rpm --rebuild clamav-0.91.1-20070718_kolab.src.rpm
# /kolab/bin/openpkg rpm \
  -Uvh /kolab/RPM/PKG/clamav-0.91.1-20070718_kolab.<ARCH>-<OS>-kolab.rpm
# rm /kolab/etc/clamav/clamd.conf.rpmsave
# /kolab/bin/openpkg rc clamav restart
# su - kolab-r
$ freshclam

For Kolab Server 2.0.4 you have to copy the new /kolab/etc/clamav/clamd.conf
to /kolab/etc/kolab/templates/clamd.conf.template so it will not be
overwritten by kolabconf. Do NOT copy this file with Kolab Server 2.1 or 2.2!


Details
~~~~~~~

http://sourceforge.net/project/shownotes.php?release_id=522414
	ClamAV 0.91 release notes

http://sourceforge.net/project/shownotes.php?release_id=523634
	ClamAV 0.91.1 release notes

http://www.securityfocus.com/bid/24866
	Multiple Vendors RAR Handling Remote Null Pointer Dereference Vulnerability
	(CVE-2007-3725)

http://www.metaeye.org/advisories/54
	Metaeye Security Group: Advisory and proof of concept file.


Timeline
~~~~~~~~
    20070711 ClamAV release 0.91.
    20070711 OpenPKG 0.91 package release.
    20070716 ClamAV release 0.91.1.
    20070718 OpenPKG 0.91.1 package release.
    20070724 Kolab Server security advisory published.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFGpd1eW7P1GVgWeRoRAtQ8AJ4i1X2oP3n7uLY2IjOftP3/XEWuVwCgmJeI
2IFz/NljqvK4Xq/6JShCiAQ=
=okQi
-----END PGP SIGNATURE-----