[Bug 360502] Re: Fix relevant security bugs from 0.95.1 in earlier releases
Launchpad Bug Tracker
360502 at bugs.launchpad.net
Mon May 4 19:44:50 BST 2009
This bug was fixed in the package clamav - 0.94.dfsg.2-1ubuntu0.3~hardy4
---------------
clamav (0.94.dfsg.2-1ubuntu0.3~hardy4) hardy-security; urgency=low
* No change rebuild from backports for use with ClamAV 0.94
clamav (0.94.dfsg.2-1ubuntu0.3~hardy3) hardy-backports; urgency=low
* Update Hardy backport to include the latest apparmor profile fixes from
Jaunty development
clamav (0.94.dfsg.2-1ubuntu0.3~hardy2) hardy-backports; urgency=low
* Drop deny rule in freshclam apparmor profile since deny is not supported
in Hardy's apparmor (LP: #360919)
clamav (0.94.dfsg.2-1ubuntu0.3~hardy1) hardy-backports; urgency=low
* Source backport for Hardy (lsb-base not present in sufficient version)
(LP: #354190, #360502)
- Drop versioning of lsb-base depends
- Revert lsb status changes from maintainer scripts
* Update existing backport with security fixes from 0.95 and 0.95.1
* Update apparmor profile with fixes from Jaunty
clamav (0.94.dfsg.2-1ubuntu0.3) intrepid-security; urgency=high
* SECURITY UPDATE: (LP: #360502)
* References
* libclamav/others.h: harden CLI_ISCONTAINED macro (bb#1552) (Denial of
service)
* Note: clamav-milter bugs such as 1499, 1522, 1524, and 1531 are not
relevant to clamav 0.94.2 and earlier versions
* Note: The code related to clamav bug 1553 was substantially rewritten in
0.95, so it is also not relevant to clamav 0.94.2 and earlier versions
* Bump CL_FLEVEL_DCONF to 0.95.1 level since relevant security patches are
applied
* Added CVE references for 0.94.dfsg.2-1ubuntu0.2 now that they've been
assigned
clamav (0.94.dfsg.2-1ubuntu0.2) intrepid-security; urgency=high
* SECURITY UPDATE (LP: #354190):
* References Clamav #1335, #1462, CVE 2008-6680, CVE 2009-1270
* libclamav/pe.c: division by zero with --detect-broken (bb#1335) (Denial of
service)
* libclamav/untar.c: infloop in tar.c (bb#1462) (Denial of Service)
* Add dconf_renable patch from 0.95 (previously backported to 0.92.2)
- Bump CL_FLEVEL_DCONF to 0.95 level since security patches are applied
clamav (0.94.dfsg.2-1ubuntu0.1) intrepid-security; urgency=low
* SECURITY UPDATE: (LP: #304017)
- Fix recursive stack overflow in jpeg parsing code
* Other changes:
- debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
clamav-daemon and clamav-freshclam
- add debian/usr.bin.freshclam and debian/usr.sbin.clamd
- debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
- debian/clamav-(daemon|freshclam).install: install profiles
- debian/clamav-(daemon|freshclam).preinst: create symlink for
force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
profile is unchanged (ie non-enforcing) and upgrades where the profile
doesn't exist.
- debian/clamav-(daemon|freshclam).postrm: remove symlink in
force-complain/ on purge.
- debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
- update README.Debian with note on Apparmor
- Enable upstream test suite in debian/rules
clamav (0.94.dfsg.2-1) unstable; urgency=low
[ Stephen Gran ]
* New upstream version
[ Michael Meskes ]
* Removed unused debconf templates and unfuzzied all translations.
[ Michael Tautschnig ]
* Removed --unzip from clampipe script (closes: #506055)
* Moved clamav-milter specific stuff from its specific README.Debian to
clamav-global one.
* Sync start of clamav-milter with clamav-daemon when clamav-daemon is being
upgraded (closes: #309067)
* The TemporaryDirectory option has been added long ago, no need for hacks
via clamav-daemon.default anymore (closes: #253080)
clamav (0.94.dfsg.1-1ubuntu0.1) intrepid-security; urgency=low
* SECURITY UPDATE: (LP: #296704)
- Fix off-by-one heap overflow
* Other changes:
- debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
clamav-daemon and clamav-freshclam
- add debian/usr.bin.freshclam and debian/usr.sbin.clamd
- debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
- debian/clamav-(daemon|freshclam).install: install profiles
- debian/clamav-(daemon|freshclam).preinst: create symlink for
force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
profile is unchanged (ie non-enforcing) and upgrades where the profile
doesn't exist.
- debian/clamav-(daemon|freshclam).postrm: remove symlink in
force-complain/ on purge.
- debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
- update README.Debian with note on Apparmor
* Update apparmor profile for clamd to work with TCP sockets (LP: #288942)
clamav (0.94.dfsg.1-1) unstable; urgency=low
[ Stephen Gran ]
* New upstream version (closes: #505134, #502165, #501298)
* Handle new option SubmitDetectionStats in freshclam.conf
* Remove RAR from the description, since we really don't handle it anymore
* Skip 'sleep until -e socket' logic if socket is of type inet (LP #296086)
[ Michael Meskes ]
* Added myself as uploader.
* Changed watch file to account for dfsg extension.
* Do not configure temporary directory in clamd.conf anymore unless it is
already configured there.
* Added Basque debconf translation (closes: #500007)
[ Michael Tautschnig ]
* Use lsb's status_of_proc function to determine the status of the process
and return with according exit codes (closes: #486076)
* Updated Dutch debconf translation (thanks Paul Gevers <paul at climbing.nl>)
(closes: #501627)
* Changed versioned dependency of clamav-daemon to clamav-base to equals
(closes: #500416)
* Handle new option DetectionStatsCountry in freshclam.conf
* Don't trust the multilib guessing stuff, always use libdir=$prefix/lib
* Removed nowadays unused lintian overrides
* Create md5sums control file for clamav-dbg as well (thanks, lintian)
clamav (0.94.dfsg.1~rc1-0ubuntu2) intrepid; urgency=low
* update clamd profile for use with exim (LP: #288110)
clamav (0.94.dfsg.1~rc1-0ubuntu1) intrepid; urgency=low
* New upstream RC release (LP:#286176)
- Odd version numbering is to get a higher version than 0.94.dfsg without
an epoch and was coordinated with Debian
- Packaging based on current Ubuntu (0.94.dfsg-1ubuntu2) and does not use
unreleased packaging improvements in the Debian pkg-claamv Git repo to
minimize risk for Intrepid
- Handle new freshclam option SubmitDetectionStats (cherry picked from
Debian pkg-clamav Git repo)
clamav (0.94.dfsg-1ubuntu2) intrepid; urgency=low
* Update apparmor profile based on test feedback (LP: #276865)
-Thanks to Ante Karamatić for the change
clamav (0.94.dfsg-1ubuntu1) intrepid; urgency=low
* Follow ApparmorProfileMigration and force apparmor complain mode on some
upgrades (LP: #264817)
- debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
clamav-daemon and clamav-freshclam
- add debian/usr.bin.freshclam and debian/usr.sbin.clamd
- debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
- debian/clamav-(daemon|freshclam).install: install profiles
- debian/clamav-(daemon|freshclam).preinst: create symlink for
force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
profile is unchanged (ie non-enforcing) and upgrades where the profile
doesn't exist.
- debian/clamav-(daemon|freshclam).postrm: remove symlink in
force-complain/ on purge.
- debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
- update README.Debian with note on Apparmor
clamav (0.94.dfsg-1) unstable; urgency=low
* New upstream version (closes: #497662, #497773)
- lots of new options for clamd.conf
- fixes CVEs CVE-2008-3912, CVE-2008-3913, CVE-2008-3914, and
CVE-2008-1389
* No longer supports --unzip option, so typo is gone (closes: #496276)
* Translations:
- sv (thanks Martin Bagge <brother at bsnet.se>) (closes: #491760)
clamav (0.93.3.dfsg-1) unstable; urgency=low
* New upstream version (closes: #489890, #492838, #491720)
* Fix AUTHORS symlink (closes: #490207)
* Fix freshclam's logcheck regex (closes: #486385)
clamav (0.93.1.dfsg-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* This update addresses the following security issue:
- CVE-2008-2713: A crafted petite file can trigger an out-of-bound
read operation in petite.c resulting in a denial of sevice
(Closes: #490925).
clamav (0.93.1.dfsg-1) unstable; urgency=low
* New upstream version
* Move conflicts to freshclam
clamav (0.93~dfsg-4) unstable; urgency=low
* Dammit. The -f flag is there for a reason (closes: #484262)
clamav (0.93~dfsg-3) unstable; urgency=low
* Make dash happy with use of return (closes: #484170)
clamav (0.93~dfsg-2) unstable; urgency=low
* Remove dpatch dependency - we keep the code in a patch system.
* Wrap evaluations of [ $variable = true ] in calls to to_lower()
* Add is_true function to catch the 7 bajillion variants of something being
true (closes: #483874)
* Clean up old incompatible database formats. Users of 3rd party software
that also loads those old databases are now out of luck. (closes: #481864)
* Fix logcheck lines for clamav-daemon (closes: #477818)
* New translation:
- sv (thanks Martin Bagge <martin.bagge at bthstudent.se>)(closes: #483765)
clamav (0.93~dfsg-1) unstable; urgency=low
* New upstream release (closes: #476450, #477278)
- Fixes failure to lock database directory
(closes: #467298, #471643, #426503)
* Fix logrotation when supervised (closes: #469196)
* Run adduser on every new install - this should work around the
xen-create-image thing of adding users but not groups (closes: #458015)
* Make clamav-milter be a little more self-documenting (closes: #477178)
-- Jamie Strandboge <jamie at ubuntu.com> Thu, 30 Apr 2009 14:44:26
-0500
** Changed in: clamav (Ubuntu Hardy)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1389
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2713
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3912
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3913
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3914
--
Fix relevant security bugs from 0.95.1 in earlier releases
https://bugs.launchpad.net/bugs/360502
You received this bug notification because you are a member of Ubuntu
Backports Testing Team, which is subscribed to Hardy Backports.
More information about the ubuntu-backports
mailing list