![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / security / clamav
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: pkgsrc-2020Q2
Revision 1.68.2.1 / (download) - annotate - [select for diffs], Fri Aug 14 18:23:48 2020 UTC (3 years, 8 months ago) by bsiegert
Branch: pkgsrc-2020Q2
Changes since 1.68: +1 -2
lines
Diff to previous 1.68 (colored) next main 1.69 (colored)
Pullup ticket #6297 - requested by taca
security/clamav: security fix
Revisions pulled up:
- security/clamav/Makefile 1.69
- security/clamav/Makefile.common 1.17
- security/clamav/distinfo 1.34
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jul 17 04:48:32 UTC 2020
Modified Files:
pkgsrc/security/clamav: Makefile Makefile.common distinfo
Log Message:
security/clamav: update to 0.102.4
Update clamav to 0.102.4.
## 0.102.4
ClamAV 0.102.4 is a bug patch release to address the following issues.
- [CVE-2020-3350](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3350):
Fix a vulnerability wherein a malicious user could replace a scan target's
directory with a symlink to another path to trick clamscan, clamdscan, or
clamonacc into removing or moving a different file (eg. a critical system
file). The issue would affect users that use the --move or --remove options
for clamscan, clamdscan, and clamonacc.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software).
- [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that
could cause a Denial-of-Service (DoS) condition. Improper bounds checking
results in an out-of-bounds read which could cause a crash.
The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly
resolves the issue.
- [CVE-2020-3481](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3481):
Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3
could cause a Denial-of-Service (DoS) condition. Improper error handling
may result in a crash due to a NULL pointer dereference.
This vulnerability is mitigated for those using the official ClamAV
signature databases because the file type signatures in daily.cvd
will not enable the EGG archive parser in versions affected by the
vulnerability.
Revision 1.68 / (download) - annotate - [select for diffs], Tue Jun 2 08:22:54 2020 UTC (3 years, 10 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base
Branch point for: pkgsrc-2020Q2
Changes since 1.67: +2 -2
lines
Diff to previous 1.67 (colored)
Revbump for icu