Bug 1103092 - ClamAV 0.100.0 is outdated and contains multiple CVEs
ClamAV 0.100.0 is outdated and contains multiple CVEs
Status: RESOLVED DUPLICATE of bug 1101410
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.0
All All
: P5 - None : Critical (vote)
: ---
Assigned To: Security Team bot
E-mail List
CVSSv2:NVD:CVE-2018-0360:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-30 12:18 UTC by Igor Drobot
Modified: 2018-09-13 21:27 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Igor Drobot 2018-07-30 12:18:35 UTC
The latest clamav version for Leap 15.0 is outdated 0.100.0 and contains multiple critical CVEs:
CVE-2018-0360: HWP integer overflow, infinite loop vulnerability
CVE-2018-0361: ClamAV PDF object length check, unreasonably long time to parse relatively small file

The last one can be use for heavy Denial-of-Service attack against mailing systems by sending PDF-files.

Please provide a hotfix or a regular security update release for clamav.


Further Information:
https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html

Thanks!
Igor
Comment 1 Marcus Meissner 2018-07-30 12:37:33 UTC
0.100.1 issues are tracked in bug 1101410 and bug 1101412.

*** This bug has been marked as a duplicate of bug 1101410 ***