-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kolab Security Issue 18 20080109 ================================ Package: Kolab Server, ClamAV Vulnerability: various Kolab Specific: no Dependent Packages: none Summary ~~~~~~~ CVE-2007-6335 It was discovered that an integer overflow in the decompression code for MEW archives may lead to the execution of arbitrary code. CVE-2007-6336 It was discovered that on off-by-one in the MS-ZIP decompression code may lead to the execution of arbitrary code. CVE-2007-6337 Unspecified vulnerability in the bzip2 decompression algorithm in nsis/bzlib_private.h Affected Versions ~~~~~~~~~~~~~~~~~ This affects versions of ClamAV up to version 0.91.2. Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected. Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected. Kolab Server 2.2-beta3 and previous prereleases are affected. Fix ~~~ Upgrade to ClamAV 0.92. The ClamAV source RPM patched to be compilable with Kolab Server 2.1 and 2.0 is available from the Kolab download mirrors as: security-updates/20080109/clamav-0.92-20080101_kolab.src.rpm A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux Sarge) is available: security-updates/20080109/clamav-0.92-20080101_kolab.ix86-debian3.1-kolab.rpm All other server versions: Please build from the src.rpm. For Kolab Server 2.2-beta3 the unmodified OpenPKG rpm can be used: security-updates/20080109/clamav-0.92-20080101.src.rpm The mirrors are listed on http://kolab.org/mirrors.html While the mirrors are catching up, you can also get the package via rsync: # rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080109/clamav-0.92-20080101_kolab.src.rpm . # rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080109/clamav-0.92-20080101_kolab.ix86-debian3.1-kolab.rpm . # rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080109/clamav-0.92-20080101.src.rpm . MD5 sums: ad61c36b1d84aaa06e734fa02e13923b clamav-0.92-20080101.src.rpm 3fe0e99160eea9816e55630378cd79d8 clamav-0.92-20080101_kolab.ix86-debian3.1-kolab.rpm 91094b48f22958536685eb29c786ea4f clamav-0.92-20080101_kolab.src.rpm The package can be installed on your Kolab Server with # /kolab/bin/openpkg rpm --rebuild clamav-0.92-20080101_kolab.src.rpm # /kolab/bin/openpkg rpm \ -Uvh /kolab/RPM/PKG/clamav-0.92-20080108_kolab.--kolab.rpm # rm /kolab/etc/clamav/*.rpmsave # /kolab/bin/openpkg rc clamav start # su - kolab-r $ freshclam For Kolab Server 2.0.4 you have to copy the new /kolab/etc/clamav/clamd.conf to /kolab/etc/kolab/templates/clamd.conf.template so it will not be overwritten by kolabconf. Do NOT copy this file with Kolab Server 2.1 or 2.2! Details ~~~~~~~ http://sourceforge.net/project/shownotes.php?release_id=562254 ClamAV 0.92 release notes http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6335 CVE-2007-6335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6336 CVE-2007-6336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6337 CVE-2007-6337 Timeline ~~~~~~~~ 20071217 ClamAV release 0.92. 20071217 OpenPKG 0.92 package release. 20080109 Kolab Server security advisory published. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHhP3/W7P1GVgWeRoRArqEAKCGA8hTOAWBcDt3WqG4B7WLIztaKwCbBzGb Uxon0E4dFQhN/FdMNWZNo9E= =1e8v -----END PGP SIGNATURE-----