-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kolab Security Issue 25 20091117
================================

Package:              Kolab Server, ClamAV
Vulnerability:        various
Kolab Specific:       no
Dependent Packages:   none


Summary
~~~~~~~

ClamAV is prone to multiple vulnerabilities because it fails to properly
restrict certain files after scanning them. A successful attack may allow
malicious users to bypass security restrictions placed on certain files.

Further unpublished vulnerabilities may habe been fixed.


Affected Versions
~~~~~~~~~~~~~~~~~

This affects versions of ClamAV up to version 0.95.1
Kolab Server 2.2.2 and previous releases are affected.


Fix
~~~

Upgrade to ClamAV 0.95.3.

OpenPKG packages for Kolab Server 2.2.2 are available from
http://files.kolab.org/server/security-updates/20091117/
or from the mirrors listed on http://kolab.org/mirrors.html

A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Lenny)
is available as clamav-0.95.3-20091030.ix86-debian5.0-kolab.rpm

A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Etch)
is available as clamav-0.95.3-20091030.ix86-debian4.0-kolab.rpm

The source and binary packages have been verified to work with Kolab Server
2.2.0, so you can upgrade this package without doing a full upgrade.

All other server versions: Please upgrade to Kolab Server 2.2.x and install
the updated package.


You can check the integrity of the downloaded files with:

$ gpg --keyserver keys.gnupg.net --recv-key 5816791A
  or import the key from https://www.intevation.de/~thomas/gpg_pub_key.asc
$ gpg --verify SHA1SUMS.sig
$ sha1sum -c SHA1SUMS


The source package can be compiled and installed on your Kolab Server with:

# su - kolab
$ openpkg rpm --rebuild ...path/to.../clamav-0.95.3-20091030.src.rpm
$ openpkg rpm -Uvh /kolab/RPM/PKG/clamav-0.95.3-20091030.<ARCH>-<OS>-kolab.rpm
$ rm /kolab/etc/clamav/*.rpmsave
$ openpkg rc clamav stop
$ openpkg rc clamav start
$ exit
# su - kolab-r
$ freshclam
$ rm -r /kolab/share/clamav/*.inc

To install a binary package, just skip the --rebuild step.


Details
~~~~~~~

http://sourceforge.net/project/shownotes.php?release_id=688880
	ClamAV 0.95.2 release notes

(bugfix release, only the ChangeLog has been published)
	ClamAV 0.95.3 release notes

http://www.securityfocus.com/bid/35426
	ClamAV CAB/RAR/ZIP File Scan Evasion Vulnerability

http://www.securityfocus.com/bid/35398
	ClamAV Embedded Archive File Scan Evasion Vulnerability

http://www.securityfocus.com/bid/35410
	ClamAV Prior to 0.95.2 Multiple Scanner Bypass Vulnerabilities


Timeline
~~~~~~~~
    20090610 ClamAV release 0.95.2.
    20091028 ClamAV release 0.95.3.
    20091030 Update available via Kolab CVS, started testing.
    20091117 Kolab Server security advisory published.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksCzQ0ACgkQW7P1GVgWeRqF7ACfYpZy6hiKZRgfRpiM6VQSmRS7
uUYAoInVoYSjG5adf9IszUFDjV9zmsDL
=a8+C
-----END PGP SIGNATURE-----