FEDORA-EPEL-2023-ef27d9fd2b — security update for clamav

obsolete

clamav-0.103.8-1.el7

FEDORA-EPEL-2023-ef27d9fd2b created by orion 4 months ago for Fedora EPEL 7

ClamAV 0.103.8 is a critical patch release with the following fixes:

CVE-2023-20032https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.
CVE-2023-20052https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

This update has been submitted for testing by orion.

4 months ago

This update's test gating status has been changed to 'ignored'.

4 months ago

This update has been pushed to testing.

4 months ago

neil commented & provided feedback 4 months ago

karma

Database provided in this update fails signature verification.

[root@41e54067803a /]# clamscan --infected --recursive . --debug
LibClamAV debug: searching for unrar, user-searchpath: /usr/lib64
LibClamAV debug: searching for unrar: libclamunrar_iface.so.9.0.5 not found
LibClamAV debug: searching for unrar: libclamunrar_iface.so.9 not found
LibClamAV debug: searching for unrar: libclamunrar_iface.so not found
LibClamAV debug: searching for unrar: libclamunrar_iface.a not found
LibClamAV debug: Cannot dlopen libclamunrar_iface: file not found - unrar support unavailable
LibClamAV debug: Initialized 0.103.8 engine
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
LibClamAV debug: Phishcheck module initialized
LibClamAV debug: Bytecode initialized in interpreter mode
LibClamAV debug: Loading databases from /var/lib/clamav
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 9a3223dfc90446e2384856212b2a446f
LibClamAV debug: cli_cvdverify: MD5 verification error
LibClamAV Error: Can't load /var/lib/clamav/daily.cvd: Can't verify database integrity
LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/daily.cvd
ERROR: Can't verify database integrity

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

4 months ago

orion commented & provided feedback 4 months ago

I'll get a fixed version out, but this can be resolved by running freshclam.

This update has been obsoleted by clamav-0.103.8-3.el7.

4 months ago

Please login to add feedback.

Metadata

Type

security

Severity

high

Karma

-1

Signed

Content Type

RPM

Test Gating

ignored

Builds

clamav-0.103.8-1.el7

Settings

Unstable by Karma

-3

Stable by Karma

disabled

Stable by Time

disabled

Dates

submitted

4 months ago

in testing

4 months ago

BZ#2170570 Please build ClamAV 0.103.8 for EL7

clamav-0.103.8-1.el7

Automated Test Results

ignored

Test Cases


0	0	Test Case ClamAV