-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kolab Security Issue 22 20080911 ================================ Package: Kolab Server, ClamAV Vulnerability: denial of service Kolab Specific: no Dependent Packages: none Summary ~~~~~~~ Various unspecified memory corruption vulnerabilities and a bug in the chm parser allowed remote attackers to cause a denial of service. Further unknown attack vectors might exist. Affected Versions ~~~~~~~~~~~~~~~~~ This affects versions of ClamAV up to version 0.93.1 Kolab Server 2.2.0 and previous prereleases are affected. Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected. Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected. Fix ~~~ Upgrade to ClamAV 0.94. The ClamAV source RPM patched to be compilable with Kolab Server 2.1 and 2.0 is available from the Kolab download mirrors as: security-updates/20080911/clamav-0.94-20080905_kolab.src.rpm For Kolab Server 2.2.0 the unmodified OpenPKG rpm can be used: security-updates/20080911/clamav-0.94-20080905.src.rpm A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux Sarge) is available: security-updates/20080911/clamav-0.94-20080905_kolab.ix86-debian3.1-kolab.rpm A binary RPM for Kolab Server 2.2.0 (ix86 Debian GNU/Linux Etch) is available from: security-updates/20080911/clamav-0.94-20080905_kolab.ix86-debian4.0-kolab.rpm All other server versions: Please build from the src.rpm. The mirrors are listed on http://kolab.org/mirrors.html While the mirrors are catching up, you can also get the package via rsync: # rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080911/clamav-0.94-20080905_kolab.src.rpm . # rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080911/clamav-0.94-20080905_kolab.ix86-debian3.1-kolab.rpm . # rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080911/clamav-0.94-20080905.src.rpm . # rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080911/clamav-0.94-20080905.ix86-debian4.0-kolab.rpm . MD5 sums: 35acf995ef8927a8ea76afb8502eb648 clamav-0.94-20080905.ix86-debian4.0-kolab.rpm 0b6be1bf21deef9de8582a56d330aaef clamav-0.94-20080905.src.rpm 67ffd197c991b5d1dc83520a91b5ff57 clamav-0.94-20080905_kolab.ix86-debian3.1-kolab.rpm 0b7d3a2a22f9a2c2e12bc0b14cc3b800 clamav-0.94-20080905_kolab.src.rpm The package can be installed on your Kolab Server with # /kolab/bin/openpkg rpm --rebuild clamav-0.94-20080905.src.rpm # /kolab/bin/openpkg rpm \ -Uvh /kolab/RPM/PKG/clamav-0.94-20080905.--kolab.rpm # rm /kolab/etc/clamav/*.rpmsave # /kolab/bin/openpkg rc clamav stop # /kolab/bin/openpkg rc clamav start # su - kolab-r $ freshclam $ rm -r /kolab/share/clamav/*.inc For Kolab Server 2.0.4 you have to copy the new /kolab/etc/clamav/clamd.conf to /kolab/etc/kolab/templates/clamd.conf.template so it will not be overwritten by kolabconf. Do NOT copy this file with Kolab Server 2.1 or 2.2! Details ~~~~~~~ http://sourceforge.net/project/shownotes.php?release_id=623661&group_id=86638 ClamAV 0.94 release notes http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1389 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1089 clamav chm handler: crasher bugs http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3912 http://www.securityfocus.com/bid/31051 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1141 DOS related to out-of-memory in libclamav http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3913 http://www.securityfocus.com/bid/31051 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1141 DOS caused by multiple memory leaks in freshclam/manager.c http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3914 http://www.securityfocus.com/bid/31051 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1141 Multiple unspecified vulnerabilities with unknown impact Timeline ~~~~~~~~ 20080902 ClamAV release 0.94. 20080905 OpenPKG 0.94 package release. 20080905 Kolab Bug Tracker Issue created. 20080911 Kolab Server security advisory published. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIyod4uyGFFEu4ZWgRAggPAJ42TKDMWoxEptkC5xYGx/ot+WL6IgCeL5c3 Qj2C4EIT2GcGxlhpK2duyZ4= =JxC7 -----END PGP SIGNATURE-----