Updated clamav packages fix security vulnerabilities
Publication date: 19 Nov 2019Modification date: 19 Nov 2019
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-12625 , CVE-2019-12900
Description
The updated packages fix security vulnerabilities:
ClamAV versions prior to 0.101.3 are susceptible to a zip bomb vulnerability
where an unauthenticated attacker can cause a denial of service condition by
sending crafted messages to an affected system. (CVE-2019-12625)
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds
write when there are many selectors. (CVE-2019-12900)
References
- https://bugs.mageia.org/show_bug.cgi?id=25231
- https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html
- https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
- https://www.openwall.com/lists/oss-security/2019/08/06/3
- https://usn.ubuntu.com/4146-1/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12625
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900
SRPMS
7/core
- clamav-0.101.4-1.1.mga7
- c-icap-modules-extra-0.5.3-1.mga7
- ecap-clamav-2.0.0-3.1.mga7