Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected.
Kolab Server 2.2-beta1 is affected.
Package: Kolab Server, ClamAV
Vulnerability: various
Kolab Specific: no
Dependent Packages: none
Summary
~~~~~~~
A list of fixes relevant for Kolab installations:
- libclamav/rtf.c: fix possible NULL dereference (bb#611)
- libclamav/ole2_extract.c: properly initialise hdr.max_block_no
(bb#603)
- libclamav/htmlnorm.c: fix possible NULL dereference (bb#582),
thanks to Stefanos Stamatis
- libclamav/htmlnorm.c: fix call to tolower() (bb#580)
- libclamav/filetypes.c: some embedded PEs were not being detected
- libclamav/pdf.c: Bug 618, --block-max not always honoured
- libclamav/pdf.c: Bug 608
- libclamav/matcher-ac.c: fix matching of patterns with prefixes and
some
other issues spotted by Glen <daineng*gmail.com>
Affected Versions
~~~~~~~~~~~~~~~~~
This affects versions of ClamAV up to version 0.91.1.
Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected.
Kolab Server 2.2-beta1 is affected.
Fix
~~~
Upgrade to ClamAV 0.91.2.
The ClamAV source RPM is available from the Kolab download mirrors as:
security-updates/20070821/clamav-0.91.2-20070821_kolab.src.rpm
A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux Sarge) is
available:
security-updates/20070821/clamav-0.91.2-20070821_kolab.ix86-debian3.1-kolab
.rpm
All other server versions: Please build from the src.rpm.
The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tvP
rsync://rsync.kolab.org/kolab/server/security-updates/20070821/clamav-0.91.
2-20070821_kolab.src.rpm .
# rsync -tvP
rsync://rsync.kolab.org/kolab/server/security-updates/20070821/clamav-0.91.
2-20070821_kolab.ix86-debian3.1-kolab.rpm .
For Kolab Server 2.0.4 you have to copy the new
/kolab/etc/clamav/clamd.conf
to /kolab/etc/kolab/templates/clamd.conf.template so it will not be
overwritten by kolabconf. Do NOT copy this file with Kolab Server 2.1 or
2.2!
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.