Your message dated Fri, 17 Feb 2023 19:49:38 +0000 with message-id <e1pt6ji-004tpk...@fasolo.debian.org> and subject line Bug#1031509: fixed in clamav 1.0.1+dfsg-1 has caused the Debian Bug report #1031509, regarding clamav: new upstream security release, CVE-2023-20032 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1031509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031509 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: clamav Severity: grave Hi, As you'll likely know there is https://security-tracker.debian.org/tracker/CVE-2023-20032 and https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html "CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue." Upstream released fixed tarballs for all their supported branches. I've managed to build 0.103.8+dfsg-0+deb10u1~uvt0 for Debian 10/buster from that, it's available from https://non-gnu.uvt.nl/debian/buster/clamav/ (including sources). We are now running this build on the Tilburg University mail infrastructure, it might work for others too. Anybody working on a proper Debian supplied fix: feel free to contact me (via IRC, e.g.) HTH, Bye, Joost -- Joost van Baal-Ilić http://abramowitz.uvt.nl/ Tilburg University mailto:joostvb.uvt.nl The Netherlands
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: clamav Source-Version: 1.0.1+dfsg-1 Done: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> We believe that the bug you reported is fixed in the latest version of clamav, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1031...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated clamav package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 17 Feb 2023 20:29:05 +0100 Source: clamav Architecture: source Version: 1.0.1+dfsg-1 Distribution: unstable Urgency: medium Maintainer: ClamAV Team <pkg-clamav-de...@lists.alioth.debian.org> Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Closes: 1031509 Changes: clamav (1.0.1+dfsg-1) unstable; urgency=medium . * Import 1.0.1 (Closes: #1031509) - CVE-2023-20032 (Possible RCE in the HFS+ file parser). - CVE-2023-20052 (Possible information leak in the DMG file parser). Checksums-Sha1: fec345e5820bc6ea8c8b15a41cf1234e2320ff0e 2829 clamav_1.0.1+dfsg-1.dsc fe18edded75204a2b4b4ec0c73c22da14e5235c2 14132600 clamav_1.0.1+dfsg.orig.tar.xz 2271488d1efe0e9dfb402630c520c36a46af34a8 222848 clamav_1.0.1+dfsg-1.debian.tar.xz Checksums-Sha256: 6263eb81b8cdabc605bac140742ba31907a4025a3a4d65ea82e4992aba5486fc 2829 clamav_1.0.1+dfsg-1.dsc 0f19b43ec26395bb921a03a77a17138b92fde4ddbcee33804da7075e5d709c90 14132600 clamav_1.0.1+dfsg.orig.tar.xz 4aa0a1529b35cfd795905815ac959b9d717054e35968dfcf1a88ed0cef2d787d 222848 clamav_1.0.1+dfsg-1.debian.tar.xz Files: b3f25cf5947cc8d612a5bf677bfae921 2829 utils optional clamav_1.0.1+dfsg-1.dsc 5dae77cb4de79e4ead9275f75c90bd20 14132600 utils optional clamav_1.0.1+dfsg.orig.tar.xz 5d68b02434a4dcb01ed33089f5cdecf1 222848 utils optional clamav_1.0.1+dfsg-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmPv1d0ACgkQBWQfF1cS +lv1OQv+PZ78Ke84bICNkMqTqVyN1RAxtF8v6u58hbDwnqjhp1cD2PuHuX67nSMx WTZgTH4IqzMGfPnPQR7HPXiSFmd0GQt/2LqNy/WKr4C3yeHG0I4I2nHOBxyQRbG1 YZ7WAz8RXbU9gJWcEFZTQZBwcYy+D4ts1Sm67XbIz8WytIaXbl4lM/QCEMuX7Mqn qyL+utgOW8V575QJo7BwYHIgyvOAWkHqprCGTgX8/PttxzdDxm+jwdH0E/qROCQM 2MpWuD7V87rzyQJZ3amYVXpuCRfaECoWiNb8LEZznMlx10+HzYtJjuJeC1N84JSm +YyspwtrqiBBUWYVsx/RSp8emfyq7qy8RU1fmR2nEqVtQqwsXstWdZvpO69fBRmV A+PX9Lp2i8WsX4378NgcLrtbAmxvMHjFXRZRJo76IaXKNZGb/DBgwgE9es0gpPbG j5D1hW8KwT7WJ55SmgE7yPw6s+i4KLvgdSxviSP/lItdbfgNDpqHGwpVXCuVNFoz VDYQwsDt =0Fl8 -----END PGP SIGNATURE-----
--- End Message ---
