Bug 1103099 - VUL-0: clamav: 0.100.1 release
VUL-0: clamav: 0.100.1 release
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Reinhard Max
Security Team bot
CVSSv2:NVD:CVE-2018-0360:4.3:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-30 13:00 UTC by Marcus Meissner
Modified: 2018-11-28 07:45 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-07-30 13:00:19 UTC
this tracks the clamav 0.100.1 release

https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html

 ClamAV 0.100.1 is a hotfix release to patch a set of vulnerabilities.

    Fixes for the following CVE's:
        CVE-2017-16932: Vulnerability in libxml2 dependency (affects ClamAV on Windows only).  (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16932)
        CVE-2018-0360: HWP integer overflow, infinite loop vulnerability. Reported by Secunia Research at Flexera. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0360)
        CVE-2018-0361: ClamAV PDF object length check, unreasonably long time to parse relatively small file. Reported by aCaB. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0361)
    Fixes for a few additional bugs:
        Buffer over-read in unRAR code due to missing max value checks in table initialization. Reported by Rui Reis.
        Libmspack heap buffer over-read in CHM parser. Reported by Hanno Böck.
        PDF parser bugs reported by Alex Gaynor.
            Buffer length checks when reading integers from non-NULL terminated strings.
            Buffer length tracking when reading strings from dictionary objects.
    HTTPS support for clamsubmit.
    Fix for DNS resolution for users on IPv4-only machines where IPv6 is not available or is link-local only. Patch provided by Guilherme Benkenstein.

Thank you to the following ClamAV community members for your code submissions and bug reports!

    aCaB
    Alex Gaynor
    Guilherme Benkenstein
    Hanno Böck
    Rui Reis
    Laurent Delosieres, Secunia Research at Flexera
Comment 1 Reinhard Max 2018-07-30 13:42:08 UTC
This release is already being tracked by bug 1101410, bug 1101412 and bug 1101654.
Comment 2 Reinhard Max 2018-07-31 15:23:25 UTC
Submitted the new version to all relevant code streams.
Further tracking will happen in the security bugs mentioned in comment 1.